What Is an Information Security Management System (ISMS)?
An information security management system (ISMS) defines policies and procedures to ensure, manage, control, and continuously improve information security in a company.
Reading Time: .
- A Definition of ISMS ➔
- What Is Information Security? ➔
- What Is the Difference between Information Security and IT Security? ➔
- What Are the Protection Goals of Information Security? ➔
- Who Is Responsible for Information Security in the Company? ➔
- What Are the Advantages of an ISMS? ➔
- Can an ISMS Replace a Data Privacy Management System? ➔
- What Are Key Steps for Implementing an ISMS? ➔
- What Can Companies Use as a Guide When Setting Up an ISMS? ➔
- The ISMS from Myra is Certified according to ISO 27001 Based on IT-Grundschutz ➔
A Definition of ISMS
An information security management system defines policies, methods, processes, and tools to ensure sustainable information security in companies and government agencies. This includes the introduction of specific procedures and the implementation of organizational and technical measures that must be continuously controlled, monitored, and improved.
The goal is to ensure, beyond the IT department, an appropriate level of protection for the confidentiality, availability, and integrity of information within the entire organization or the defined scope. Thus, the ISMS provides the basis for systematic implementation of information security within a company and for compliance with security standards. Potential threats relating to information security are identified, analyzed, and mitigated, making them controllable.
What Is Information Security?
The term information security is often used synonymously with IT security, but strictly speaking it goes beyond that. Information security encompasses everything that protects a company’s information assets against threats (e.g., cyberattacks, sabotage, espionage, and natural disasters) and the resulting harm to its business or reputation. Legal regulations such as the German IT Security Act (IT-SiG) or the General Data Protection Regulation (GDPR) require appropriate protective measures for sensitive information, which may be in electronic, written, or printed form.
What Is the Difference between Information Security and IT Security?
Unlike IT security, information security refers not only to the security of the technology used, but also to organizational issues such as access authorizations and responsibilities. Accordingly, information security is not the sole responsibility of the IT department, but must be implemented in all areas of the company, starting with management.
What Are the Protection Goals of Information Security?
According to the international ISO 27000 family of standards, the protection goals of information security comprise three main aspects:
- Confidentiality: Confidential information may only be viewed and disclosed by authorized persons. Access to this information must therefore be appropriately secured. Confidentiality is violated if an attacker is able to eavesdrop on communications, for example.
- Integrity: Information must be protected from undetected manipulation in order to preserve its accuracy and completeness. Integrity is violated if, for example, an attacker is able to modify research data without detection.
- Availability: Information, services, or resources must be available and usable for legitimate users at all times. Availability can be disrupted, for example, by a DDoS attack that deliberately overloads systems.
Other aspects are authenticity, accountability, commitment, and reliability. The degree of information security achieved can be determined on the basis of how well these protection goals are fulfilled.
Who Is Responsible for Information Security in the Company?
To ensure information security in every part of the company, clear responsibilities must be defined and all necessary resources (money, personnel, time) must be made available. This is the responsibility of top management in the company. It bears overall responsibility for information security and an appropriate ISMS.
Following a top-down approach, it is the responsibility of company management to initiate the security process, set up an organizational structure, define security objectives and general conditions, and establish guidelines for enforcing information security. The detailed design and implementation of these guidelines as an ISMS can be delegated to managers and employees.
An information security officer appointed by top management acts as the point of contact for all information security issues. He/she must be integrated into the ISMS process and work closely with IT managers, for example, when selecting new IT components or applications.
What Are the Advantages of an ISMS?
With an ISMS, information security can be systematically implemented throughout the entire company and ensure that all required security standards are met. This holistic, preventive approach offers several advantages:
Protection of sensitive information:
An ISMS ensures that proprietary information assets (e.g., intellectual property, personnel data, or financial data) as well as data entrusted by customers or third parties are adequately protected against any and all threats.
Maintaining business continuity:
By using an ISMS to make information security an integral part of their business processes, companies can continuously increase their level of security and mitigate information security risks. In this way, they counteract the risk of security incidents disrupting business continuity.
Meeting compliance requirements:
Strict compliance requirements apply, particularly in highly regulated sectors such as finance or critical infrastructure. Violations of legal regulations and contractual agreements can result in heavy fines. With an ISMS, companies ensure that they meet all regulatory and contractual requirements, which also gives them more operational and legal certainty.
Verifiability of information security:
By certifying their ISMS, companies are able to verify to third parties that sensitive information is handled securely. This contributes to a better external image and to building trust, which in turn means a competitive advantage.
Improved cost-effectiveness and cost reduction:
The structured coordination and risk-oriented planning of measures in an ISMS helps to set priorities, use resources efficiently, and make investments in the right places. After initial additional costs, overheads can thus be reduced in the long term.
Can an ISMS Replace a Data Privacy Management System?
Although an ISMS generally helps to secure information that needs to be protected, it does not necessarily also satisfy data privacy requirements relating to the secure processing of personal data. This is because all information requiring protection is treated the same in an ISMS. An ISMS is therefore no replacement for a data privacy management system (DPMS). Ideally, however, a DPMS is based on an ISMS and enhances it both technically and organizationally in accordance with data protection requirements (Article 25 and Article 32 GDPR). Close cooperation between information security officers and data protection officers is recommended here.
What Are Key Steps for Implementing an ISMS?
The efficient and effective implementation of an ISMS is a very complex process. The following steps should be taken into account:
Define the scope of services:
The first step is to clarify what the ISMS is supposed to do in the first place. To do this, company management must clearly define the areas of application, objectives, and limits of the ISMS.
What assets should be protected by the ISMS? They can be information, software, services, and physical assets such as computers, but also the qualifications, skills, and experience of employees as well as other intangible assets such as reputation and standing. The main objective here is to identify business-critical assets on which the company’s survival depends.
Identify and assess risks:
For every asset worth protecting, potential risks must be identified and classified based on legal requirements or compliance guidelines. Companies should ask themselves, for example, what impacts each risk would have if confidentiality, integrity, and availability were breached, or what the probabilities of the risks occurring are. In the end, they arrive at an assessment of which risks are acceptable, due to the expected amount of harm caused, for instance, and which must be addressed at all costs.
Based on the previous risk assessment, suitable technical and organizational measures for risk mitigation or avoidance must then be selected and implemented. This also includes defining clear competencies and responsibilities.
The measures adopted and implemented must be continuously monitored and regularly checked for effectiveness, for example, by audits.
If the review of the measures introduced reveals deficiencies or new risks have been identified, the ISMS process must be run through again from the beginning. In this way, the ISMS can be continuously adapted to changing conditions or requirements, continuously improving information security in the company.
What Can Companies Use as a Guide When Setting Up an ISMS?
Established standards such as the ISO 27000 family or the IT-Grundschutz (IT baseline protection) version developed by the German Federal Office for Information Security (BSI) help in designing an ISMS and introducing all necessary security measures. An ISMS operated in accordance with these standards makes it possible to identify potential threats at an early stage and mitigate them by means of tailor-made countermeasures. This enables companies to ensure the confidentiality, availability, and integrity of any and all information.
Both standards view information security as a process that must be continuously adjusted, for example, to changes in internal processes, changes in the legal framework, new technologies, or previously unknown threats. For this reason, a PDCA cycle (also known as a “Deming cycle”), consisting of the phases Plan (planning security measures), Do (implementing measures), Check (monitoring success through continuous monitoring), and Act (continuous improvement) is recommended.
Companies are generally free to choose whether to implement and, if necessary, certify their ISMS in accordance with the international ISO/IEC 27001 standard or the “German version” ISO 27001 based on IT-Grundschutz. You can find out more about the similarities and differences between ISO 27001 and ISO 27001 based on IT-Grundschutz here. When setting up an ISMS, small and medium-sized enterprises (SMEs) and municipalities can also use the ISIS12 standard as a guide, which includes a specific twelve-step plan and clear implementation instructions.
The ISMS from Myra is Certified according to ISO 27001 Based on IT-Grundschutz
Myra Security has successfully implemented all the protective measures defined by the BSI against typical threats to corporate IT. The certificate (no. BSI-IGZ-0338-2018) confirms that Myra’s information security management system ensures the confidentiality, availability, and integrity of all information through suitable technical and organizational measures. This makes Myra one of only approx. 120 companies worldwide (as of February 2021) that meet the strict requirements of ISO 27001 based on IT-Grundschutz.