INFORMATION SECURITY MANAGEMENT SYSTEM [ISO 27001: 2005]

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes, and IT systems.

Information is an asset, and is regarded as the lifeblood of all organizations. It can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by mail or by electronic means, shown in films, or spoken in conversation. In today's competitive business environment, such information is constantly under threat from many sources. These can be internal, external, accidental, or malicious. With the increased use of new technology to store, transmit, and retrieve information, all organizations have opened themselves up to increased numbers and types of threats.

Therefore there is a need to establish a comprehensive Information Security Policy within all organizations, to ensure the confidentiality, integrity, and availability of both vital corporate information and customer information. ISO/IEC 27001:2005 is a standard setting out the requirements for ISMS. It helps identify, manage, and minimize the range of threats to which information is regularly subjected.

The standard is presented in a generic form giving the requirements of the "What" aspects of the QMS to be adapted and not the "How" aspects of the system which is left to the organization to decide. Setting up of the QMS with the help of the consultant is elaborated in the succeeding articles of this proposal.

One of the important steps in setting up ISMS is Risk Assessment on current Information security. The following are the objective of the Risk Assessment:

	To understand the CEO's perspective and commitments wrt Information security.
	To identify the key business processes and their data / information / knowledge generation.
	To assess the business Risk involved in loosing those vital data / information / knowledge
	To identify the commitments made to the customers through the SLA or other contractual terms and assesses the loopholes in the current security measures.
	To evaluate the statutory obligations to the customer with in and outside India wrt the security of their information.
	To assess the confidentiality (access) / integrity / Availability of the vital business data and information's.
	To suggest the IT and Information security measures to meet the contractual requirements of the ISO/IEC 27001:2005 standard.

What is the value for investment in ISMS?

SSA guarantees the following value adds in the process of our association in implementing Information Security Management System as per this international standard:

	Review and enhancement of all your procedures and processes.
	Alignment of all employees to the vision and values of the company
	Customer concerned culture at all levels to leverage on enhanced customer satisfaction.
	Training on basics of good management principles resulting in leadership at all levels.
	Identification of automation opportunities where to develop softwares to eliminate the errors and enhance speed and accuracy of your services.
	Reference process documents with which you can standardize the work practices.
	The SOPs will help to train new employees there by enabling one to cut down the lead time to get best out of the employees with in a short lead time.
	Regular internal audits followed by management reviews to identify early failures in the adherence of processes.
	Continuous improvement culture which will make your company a World class organization in the coming years.
	Total employee involvement in the CEOs vision of achieving the number status in your industry.
	Above all certification by a reputed certification agency which will enhance the corporate image of the company.

Consultancy Deliverables

The SSA Consultation for ISMS implementation involves the following:

Trainings on the following: i. ISMS Awareness Session ii. ISMS Intensive Training iii. Internal Auditor's Training iv. Workshop on Security Policy & Objectives v. Risk assessment work shop

The Consultation involves: i. Facilitation in preparation of Information Security Manual in the electronic media as detailed in this proposal ii. Risk assessment & security mitigation planning iii. Guidance & Hand holding during the implementation of the system iv. Guidance & Hand holding in Conducting Internal audits v. Guidance in Selection of Certification Agency vi. Hand holding during the certification audit to vacate Non-conformity issued by the certification agency

Note: It is suggested that the documentation of quality manual be carried out in user-friendly software called IGrafx, which will help for maintaining the SOP's during the process changes in the future. The manual is converted into HTML format and stored in the server. This enables all operating people to view their SOP's from their desktops.

Training Curriculum

The following training programmes will be conducted as a means of knowledge Transfer:

1. Management Overview on ISO 27001:2005

The purpose of this program is to give overview of the ISO 27001:2005 standards and gain acceptance by the Management Team.


2. Awareness on ISO 27001:2005

This programme is intended to provide the concepts of quality and systems approach to Security management and customer satisfaction. The programme also covers the overview of the ISO standard. The target audience of this programme includes all staff, officers and managers.


3. Intensive Training on ISO 27001:2005

This programme is for the core team members who will be involved in implementing and maintaining the ISO. The programme will cover the details of all clauses of the ISO standard and their relevance to the business operations.


4. Internal Auditor training for ISO 27001:2005

This programme is for training the internal auditors to carry out system audits as per the security manuals to check the compliance of the system and report to the management for the opportunity for improvements. This is a mandatory requirement of the standard. The programme covers the audit steps, audit reporting, audit skills, and audit psychology. The syllabus conforms to the IQA (Institute of Quality Assurance - London) requirements.


5. Work shop on Security Policy and Objectives

This programme also includes a session to understand the concept of security policy & Objective and how to derive the same. The target audience for this programme is the Head of the Organization and his Senior Management Team.


6. Risk assessment work shop

This programme includes a session to understand the concept of assessment of risk to the information & how to mitigate it in the today's fast paced, ever changing business environment . The target audience for this programme is the Head of the Organization and his Senior Management Team.

Preparation of ISMS Manual: (Documentation)

One of the important requirements of the ISMS is the documentation of the business processes incorporating the operating level activities in greater details. The manual is prepared in the following structure:

Tier - 1 Documentation:
This documentation will cover the security policy of the company, resources, products and services offered, policies and outline of its ISMS. The other chapters of the tier-1 document will provide detailed procedures addressing the various requirements of the ISO standard.

Tier-2 Documentation:
The tier-2 documentation is often referred as standard operating procedures (SOP) manual. This part of the documentation will cover all nuts & bolts level of operating procedures at all departments. SSA recommends flow chart as a representation of this SOP's for easy understanding during auditing and training of new staff joining the company.

Note:

	The documentation is in the electronic media with an easily navigating facility to browse through the various processes involved in the business. This will facilitate access through intranet at all desktops.
	The tier -1Documentation will be done by SSA & tier - 2 Documentation will be done by Client
	SSA recommends the Process Mapping to be done by iGrafx Software, a product of Corel Corporation USA. (Approximate cost of iGrafx Flowcharter is 400$. For details check www.iGrafx.com).

Critical success factors

The following are the critical success factors for the value addition:

	Management commitment & involvement
	Regular reviews by the Top Management
	Attendance to the training programme
	Resources to the team
	Mentoring by the Head of QA

The consultants and client are the two interdependent parties and have to execute the projects in a coordinated manner during these times.

Apart from setting up a system for ISMS 27001: 2005 Certification, SSA also conducts 1 Day session on Executive Overview/ Awareness on ISO 9001: 2000; and 2 Days session on Internal Auditor's Training.

Click Here To Know more about Information Security Management System