Modern standards in the field of information security using the concept of risk management. What is a modern information security management system Information security management system procedures

(ISMS)- that part common system management, which is based on a business risk approach in the creation, implementation, operation, monitoring, analysis, support and improvement information security.

If built in accordance with the requirements of ISO / IEC_27001, it is based on the PDCA model:

    Plan(Planning) - the phase of creating an ISMS, creating a list of assets, risk assessment and selection of measures;
    Do(Action) - the stage of implementation and implementation of appropriate measures;
    Check(Verification) - The phase of evaluating the effectiveness and performance of the ISMS. Usually performed by internal auditors.
    Act(Improvements) - implementation of preventive and corrective actions;

Information security concept

The ISO 27001 standard defines information security as: “maintaining the confidentiality, integrity and availability of information; in addition, other properties can be included, such as authenticity, non-repudiation, reliability. "

Confidentiality - ensuring the availability of information only for those who have the appropriate authority (authorized users).

Integrity - ensuring the accuracy and completeness of information, as well as methods of its processing.

Availability - providing access to information to authorized users, when necessary (on demand).

4 Information security management system

4.1 General requirements

The organization shall establish, implement, use, control, revise, maintain and improve the documented ISMS provisions throughout the organization's business activities and the risks it faces. For the practical benefit of this International Standard, the process used is based on the PDCA model shown in Fig. 1.

4.2 Establishing and managing an ISMS

4.2.1 Creating an ISMS

The organization should do the following.

a) Taking into account the specifics of the organization's activities, the organization itself, its location, assets and technology, determine the scope and boundaries of the ISMS, including details and justifications for excluding any provisions of the document from the draft ISMS (see 1.2).

b) Taking into account the specifics of the organization's activities, the organization itself, its location, assets and technology, develop an ISMS policy that:

1) includes a system for setting goals (objectives) and establishes the general direction of management and principles of action regarding information security;

2) takes into account business and legal or regulatory requirements, contractual security obligations;

3) attached to strategic environment risk management in which the establishment and maintenance of an ISMS takes place;

4) establishes the criteria against which the risk will be assessed (see 4.2.1 c)); and

5) approved by the management.

NOTE: For the purposes of this International Standard, an ISMS policy is an extended set of information security policies. These policies can be described in one document.

c) Develop a framework for risk assessment in the organization.

1) Determine a risk assessment methodology that is appropriate for the ISMS and established business information security, legal and regulatory requirements.

2) Develop criteria for accepting risk and determine acceptable levels of risk (see 5.1f).

The risk assessment methodology chosen should ensure that the risk assessment produces comparable and reproducible results.

NOTE: There are different risk assessment methodologies. Examples of risk assessment methodologies are considered in ISO / IEC TU 13335-3, Information Technology - Management RecommendationsITSecurity - Management TechniquesITSecurity.

d) Identify risks.

1) Define assets within the scope of the ISMS, and owners2 (2 The term "owner" is identified with an individual or entity that is approved to be responsible for controlling Maintenance, application and safety of assets. The term "owner" does not mean that the person actually has any ownership rights to the asset) of these assets.

2) Identify the hazards to these assets.

3) Identify vulnerabilities in the protection system.

4) Identify impacts that destroy the confidentiality, integrity and availability of assets.

e) Analyze and assess risks.

1) Assess the damage to the organization's business that can be caused by the failure of the protection system, as well as a consequence of the violation of confidentiality, integrity, or availability of assets.

2) Determine the likelihood of security failure in light of the prevailing hazards and vulnerabilities, asset-related impacts and controls currently in place.

3) Assess the levels of risk.

4) Determine the acceptability of the risk, or require it to be reduced, using the risk acceptability criteria set out in 4.2.1c) 2).

f) Identify and evaluate instruments for risk reduction.

Possible actions include:

1) Application of suitable controls;

2) Conscious and objective acceptance of risks, ensuring their unconditional compliance with the requirements of the organization's policy and the criteria for risk tolerance (see 4.2.1c) 2));

3) Risk avoidance; and

4) Transfer of relevant business risks to another party, for example, insurance companies, suppliers.

g) Select tasks and controls to mitigate risks.

Objectives and controls should be selected and implemented in accordance with the requirements established by the risk assessment and risk reduction process. This selection should consider both the criteria for risk acceptability (see 4.2.1c) 2)) and legal, regulatory and contractual requirements.

The tasks and controls from Appendix A should be selected as part of this process to meet specified requirements.

Since not all tasks and controls are listed in Appendix A, additional tasks may be selected.

NOTE: Appendix A contains a comprehensive list of management objectives that have been identified as most relevant to organizations. In order not to miss a single important point from the control options, using this International Standard should be guided by Appendix A as the starting point for sampling control.

h) Achieve approval of the management of the anticipated residual risks.

4) facilitate the detection of security events and thus, using defined indicators, prevent security incidents; and

5) determine the effectiveness of the actions taken to prevent security breaches.

b) Conduct regular reviews of the effectiveness of the ISMS (including discussion of the ISMS policy and its objectives, review of security controls), taking into account the results of audits, incidents, performance measurements, suggestions and recommendations of all interested parties.

c) Evaluate the effectiveness of controls to determine if safety requirements are being met.

d) Check the risk assessment against planned periods and check residual risks and risk tolerances, taking into account changes in:

1) organizations;

2) technology;

3) business goals and processes;

4) identified threats;

5) the effectiveness of the implemented management tools; and

6) external events, such as changes in the legal and management environment, changed contractual obligations, changes in the social climate.

e) Conduct internal audits of the ISMS during planned periods (see 6)

NOTE: Internal audits, sometimes called primary audits, are conducted on behalf of the organization itself for its own purposes.

f) Review the management of the ISMS on a regular basis to ensure that the situation remains valid and that the ISMS is being improved.

g) Update security plans based on monitoring and audit findings.

h) Record actions and events that could affect the effectiveness or performance of the ISMS (see 4.3.3).

4.2.4 Maintaining and improving the ISMS

The organization must continually do the following.

a) Implement specific fixes in the ISMS.

b) Take appropriate corrective and preventive action in accordance with 8.2 and 8.3. Apply the knowledge gained by the organization itself and from the experience of other organizations.

c) Communicate their actions and improvements to all interested parties in a level of detail appropriate to the situation; and, accordingly, coordinate their actions.

d) Verify that the improvements have achieved their intended purpose.

4.3 Documentation requirements

4.3.1 General

Documentation should include protocols (records) management decisions persuade that the need for action is driven by decisions and management policies; and to assure the reproducibility of the recorded results.

It is important to be able to demonstrate the feedback of the selected controls to the results of the risk assessment and risk reduction processes, and further to the ISMS policy and its objectives.

The ISMS documentation should include:

a) a documented statement of the ISMS policy and objectives (see 4.2.1b));

b) the position of the ISMS (see 4.2.1a));

c) the concept and controls in support of the ISMS;

d) a description of the risk assessment methodology (see 4.2.1c));

e) risk assessment report (see 4.2.1c) - 4.2.1g));

f) risk reduction plan (see 4.2.2b));

g) a documented concept, necessary organization to ensure the effectiveness of planning, operation and management of its information security processes and description of methods for measuring the effectiveness of controls (see 4.2.3c));

h) documents required by this International Standard (see 4.3.3); and

i) Statement of Applicability.

NOTE 1: For the purposes of this International Standard, the term “documented concept” means that the concept is implemented, documented, implemented and followed.

NOTE 2: The size of the ISMS documentation in different organizations can vary depending on:

The size of the organization and the type of its assets; and

The scale and complexity of the security requirements and the managed system.

NOTE 3: Documents and reports can be provided in any form.

4.3.2 Document control

The documents required by the ISMS need to be protected and regulated. It is necessary to approve the documentation procedure necessary to describe management actions for:

a) establishing the compliance of documents with certain standards prior to their publication;

b) checking and updating documents as necessary, re-approving documents;

c) ensuring that changes are consistent with the current state of revised documents;

d) ensuring the availability of important versions of valid documents;

e) ensuring that documents are understandable and legible;

f) making documents available to those who need them; as well as their transfer, storage and finally destruction in accordance with the procedures applied depending on their classification;

g) establishing the authenticity of documents from external sources;

h) controlling the distribution of documents;

i) preventing the unintended use of obsolete documents; and

j) applying an appropriate identification method to them if they are stored just in case.

4.3.3 Control of records

Records should be created and maintained to provide evidence of conformity and the effective operation of the ISMS. Records must be protected and verified. The ISMS should take into account any legal and regulatory requirements and contractual obligations. Records must be understandable, easily identifiable and retrievable. The controls necessary for the identification, storage, protection, recovery, retention, and destruction of records must be documented and implemented.

The records should include information about the implementation of the activities described in 4.2, and about all incidents and significant safety incidents related to the ISMS.

Examples of entries are guestbook, audit logs, and completed access authorization forms.

The BS ISO / IEC 27001: 2005 standard describes an information security management system (ISMS) model and proposes a set of requirements for organizing information security in an enterprise without reference to the implementation methods that are chosen by the organization's executors.

The standard proposes the application of the PDCA (Plan-Do-Check-Act) model to life cycle ISMS, which includes design, implementation, operation, control, analysis, support and improvement (Figure 1).

Plan - the phase of creating an ISMS, creating a list of assets, risk assessment and selection of measures;

Do (Action) - the stage of implementation and implementation of the relevant measures;

Check - The phase of evaluating the effectiveness and performance of the ISMS. Usually performed by internal auditors.

Act (Improvements) - Take preventive and corrective actions.

The decision on the creation (and subsequent certification) of an ISMS is taken by the top management of the organization. This demonstrates management support and reaffirmation of the value of the ISMS to the business. The organization's management initiates the creation of an ISMS planning team.

The group responsible for planning the ISMS should include:

· Representatives of the top management of the organization;

· Representatives of business units covered by the ISMS;

· Specialists of information security departments;

· Third-party consultants (if necessary).

The IS Committee provides support for the operation of the ISMS and its continuous improvement.

Working group should be guided by the regulatory and methodological base, both in relation to the creation of an ISMS, and related to the field of activity of the organization, and, of course, by the general system of state laws.

Regulatory framework for creating an ISMS:

· ISO / IEC 27000: 2009 Vocabulary and definitions.

· ISO / IEC 27001: 2005 General requirements for an ISMS.

· ISO / IEC 27002: 2005 Practical Guide for Information Security Management.

· ISO / IEC 27003: 2010 Practical guidance for the implementation of an ISMS.

· ISO / IEC 27004: 2009 Metrics (Measurements) of information security.

· ISO / IEC 27005: 2011 Guidelines for information security risk management.

ISO / IEC Guide 73: 2002, Risk management - Vocabulary - Guidelines for use in standards.

ISO / IEC 13335-1: 2004, Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security managment.

ISO / IEC TR 18044 Information technology - Security techniques - Information security incident management.

ISO / IEC 19011: 2002 Guidelines for quality and / or environmental management systems auditing.


· British Standards Institution ISMS Methodology Series (formerly PD 3000 Series Documents).

The process of creating an ISMS consists of 4 stages:

Stage 1. Planning an ISMS.

Establishing policies, objectives, processes and procedures related to risk management and information protection in accordance with the overall policy and objectives of the organization.

a) Determining the scope and boundaries of the ISMS:

· Description of the type of activity and business goals of the organization;

· An indication of the boundaries of the systems covered by the ISMS;

· Description of the organization's assets (types of information resources, software and hardware, personnel and organizational structure);

· Description of business processes using the protected information.

A description of the system boundaries includes:

Description of the existing structure of the organization (with possible changes that may arise in connection with the development of information system).

Information system resources to be protected ( Computer Engineering, information, system and application software). To assess them, a system of criteria and a methodology for obtaining assessments according to these criteria (categorization) should be selected.

Information processing technology and tasks to be solved. For the tasks to be solved, information processing models should be built in terms of resources.

Diagram of the organization's information system and supporting infrastructure.

As a rule, at this stage, a document is drawn up in which the boundaries of the information system are fixed, the information resources of the company to be protected are listed, a system of criteria and methods for assessing the value of the company's information assets is provided.

b) Definition of the organization's ISMS policy (expanded version of the ISS).

· Objectives, directions and principles of activity in relation to information protection;

· Description of the strategy (approaches) of risk management in the organization, structuring of countermeasures to protect information by type (legal, organizational, hardware and software, engineering and technical);

· Description of the criteria for the significance of the risk;

· The position of the management, determination of the frequency of meetings on the topic of information security at the management level, including periodic revision of the provisions of the information security policy, as well as the procedure for training all categories of users of the information system on information security.

c) Determining the approach to risk assessment in the organization.

The risk assessment methodology is selected depending on the ISMS, established business information security requirements, legal and regulatory requirements.

The choice of the risk assessment methodology depends on the level of requirements for the information security regime in the organization, the nature of the threats taken into account (the spectrum of threat impact) and the effectiveness of potential countermeasures to protect information. In particular, a distinction is made between basic and increased or complete requirements for the information security mode.

The basic information security level corresponds to the minimum requirements for the IS mode. Such requirements apply, as a rule, to typical design solutions. There are a number of standards and specifications that consider the minimum (typical) set of the most likely threats, such as: viruses, equipment failures, unauthorized access, etc. To neutralize these threats, countermeasures must be taken, regardless of the likelihood of their implementation and vulnerability resources. Thus, it is not necessary to consider the characteristics of threats at a basic level. Foreign standards in this area ISO 27002, BSI, NIST, etc.

In cases where violations of the IB regime lead to serious consequences, additional requirements are imposed.

To formulate additional increased requirements, you must:

Determine the value of resources;

Add to the standard set a list of threats that are relevant to the studied information system;

Assess the likelihood of threats;

Determine resource vulnerabilities;

Assess the potential damage from the effects of intruders.

It is necessary to find a risk assessment methodology that can be used with minimal changes on an ongoing basis. There are two ways: to use existing methods and tools for risk assessment on the market, or to create your own methodology, adapted to the specifics of the company and the area of ​​activity covered by the ISMS.

The latter option is the most preferable, since so far most of the products on the market that implement one or another risk analysis methodology do not meet the requirements of the Standard. Typical disadvantages of such techniques are:

· A standard set of threats and vulnerabilities that are often impossible to change;

Acceptance of only software and hardware and information resources as assets - without consideration human resources, services and other important resources;

· The overall complexity of the methodology in terms of its sustainable and repeatable use.

· Criteria for accepting risks and acceptable levels of risk (should be based on the achievement of the strategic, organizational and management objectives of the organization).

d) Risk identification.

Identification of assets and their owners

Informational input data;

Informational output;

Information records;

Resources: people, infrastructure, equipment, software, tools, services.

· Identification of threats (standards for risk assessment often suggest classes of threats that can be supplemented and expanded).

· Identification of vulnerabilities (there are also lists of the most common vulnerabilities that you can rely on when analyzing your organization).

· Determination of the value of assets (possible consequences from loss of confidentiality, integrity and availability of assets). Information about the value of an asset can be obtained from its owner or from a person to whom the owner has delegated all the authority over this asset, including ensuring its security.

e) Risk assessment.

· Assessment of the damage that can be caused to the business from the loss of confidentiality, integrity and availability of assets.

· Assessment of the likelihood of the implementation of threats through existing vulnerabilities, taking into account the available IS management tools and assessing the possible damage caused;

· Determination of the level of risk.

Application of risk acceptance criteria (acceptable / requiring treatment).

f) Risk treatment (in accordance with the selected risk management strategy).

Possible actions:

Passive actions:

Risk acceptance (decision on the acceptability of the resulting level of risk);

Risk aversion (the decision to change the activity that causes a given level of risk - moving the web server out of the border local network);

Active actions:

Reducing the risk (using organizational and technical countermeasures);

Risk transfer (insurance (fire, theft, software bugs)).

The choice of possible actions depends on the accepted risk criteria (an acceptable level of risk is set, levels of risk that can be reduced by means of information security management, levels of risk at which it is recommended to abandon or transform the type of activity that causes it, and risks that it is desirable to transfer to other parties) ...

g) Selecting objectives and controls for risk treatment.

Goals and controls should implement the risk management strategy, take into account the criteria for accepting risks and legal, regulatory and other requirements.

ISO 27001-2005 provides a list of objectives and controls as a basis for building a risk treatment plan (ISMS requirements).

The risk treatment plan contains a list of priority measures to reduce risk levels, indicating:

· Persons responsible for the implementation of these measures and funds;

· Terms of implementation of activities and priorities for their implementation;

· Resources for the implementation of such activities;

· Levels of residual risks after the implementation of measures and controls.

The top management of the organization is responsible for the adoption and oversight of the risk treatment plan. The fulfillment of the key activities of the plan is a criterion for making a decision on putting the ISMS into operation.

On this stage a rationale is made for the choice of various countermeasures for IS, structured according to the regulatory, organizational and managerial, technological and hardware and software levels of information security. (Further, a set of countermeasures is implemented in accordance with the selected information risk management strategy). With the full version of the risk analysis, the effectiveness of countermeasures is additionally assessed for each risk.

h) Management approval of the proposed residual risk.

i) Obtain management approval for the implementation and commissioning of the ISMS.

j) Statement of Applicability (in accordance with ISO 27001-2005).

The date the ISMS is put into operation is the date when the company's top management approves the Statement of Applicability of Controls, which describes the objectives and means chosen by the organization to manage risks:

· The controls and controls selected during the risk treatment stage;

· Already existing in the organization means of management and control;

· Means to ensure compliance with legal requirements and requirements of regulatory organizations;

· Means to ensure the fulfillment of customer requirements;

· Means ensuring the fulfillment of general corporate requirements;

· Any other appropriate means of management and control.

Stage 2. Implementation and operation of the ISMS.

To implement and operate the information security policy, controls, processes and procedures in the field of information security, the following actions are performed:

a) Development of a risk treatment plan (a description of the planned controls, resources (software, hardware, personnel) that are required for their implementation, support, control, and management responsibilities for information security risk management (development of documents at the planning stage, support of information security objectives, defining roles and responsibilities, providing the necessary resources to establish an ISMS, auditing and reviewing).

b) Allocation of funding, roles and responsibilities for the implementation of the risk treatment plan.

c) Implementation of planned controls.

d) Establishment of performance benchmarks (metrics) of controls, methods of their measurement, which will provide comparable and reproducible results.

e) Improvement of qualifications, awareness of personnel in the field of information security in accordance with their job responsibilities.

f) Managing the operation of the ISMS, managing resources to maintain, monitor and improve the ISMS.

g) Implementation of procedures and other controls for rapid detection and response to information security incidents.

Stage 3: Continuous monitoring and analysis of the functioning of the ISMS.

This stage involves assessing or measuring key performance indicators of processes, analyzing the results and providing reports to management for analysis and includes:

a) Conducting continuous monitoring and analysis (allows you to quickly detect errors in the functioning of the ISMS, quickly identify and respond to security incidents, delineate the roles of personnel and automated systems in the ISMS, to prevent security incidents by analyzing unusual behavior, to determine the effectiveness of handling security incidents).

b) Conducting a regular review of the effectiveness of the ISMS (reviewing compliance with the ISMS policy and objectives, audits, key performance indicators, proposals and stakeholder responses).

c) Measuring the effectiveness of controls to verify that security requirements are being met

d) Periodic reassessment of risks, analysis of residual risks and determination of acceptable levels of risk for any changes in the organization (business objectives and processes, identified threats, newly identified vulnerabilities, etc.)

e) Periodic internal audits of the ISMS.

ISMS audit - checking the compliance of the selected countermeasures with the goals and objectives of the business declared in the organization's IS, based on its results, residual risks are assessed and, if necessary, optimized.

f) Regular review of the scope and trend of the ISMS by management.

g) Updating risk management plans to capture the results of monitoring and analysis.

h) Maintaining logs of events that caused Negative influence the effectiveness or quality of the ISMS.

Stage 4. Maintaining and improving the ISMS.

Based on the results of the internal ISMS audit and management analysis, corrective and preventive actions are developed and implemented to continuously improve the ISMS:

a) Improvement of information security policy, information security objectives, audit, analysis of observed events.

b) Development and implementation of corrective and preventive actions to eliminate non-compliance with the ISMS requirements.

c) Monitoring improvements to the ISMS.

Really embarrassing. We informed about the imminent release of the ISO 45001 standard, which should replace the current OHSAS 18001 occupational safety management standard, we said that we should wait for it at the end of 2016 ... Midnight is approaching, but Herman is still gone. Time to admit - ISO 45001 is on hold. True, for good reasons. The expert community has too many questions for him. […]

  • A dual article is outlined. The International Organization for Standardization has clearly expressed its position on the use of the labeling of its standards on products - ISO says "no". However, entrepreneurs still want to do it. How should they be? Why not, actually? The background of the question is as follows. As you can imagine, ISO standards are not directly related to products manufactured by certified enterprises. […]

  • Let's finish off the topic. In the last article, we started a conversation about the eight principles of QMS. The principles on which any quality management system is built. Our goal is to translate these principles from the language of business coaches into human language. So that you can get real benefit from them. They talked about customer orientation. They talked about how to produce not “something [...]

  • Many people talk about quality management. But for some reason they say that nothing in the end is clear. This means that quality management remains just words. Too clever words. Let's translate them into normal language and understand how the principles of quality management really help to improve the company's activities. Let's do without long preludes. In total, the currently relevant quality management systems, the most popular of which [...]

  • Project management ... I am sure there are many people who have been talking to all kinds of business consultants for too long - and now they start to feel a little nauseous from one such phrase. What to do? Let's just put business consultants out of our heads and put the case in human language. Project management is not necessarily a person in a white shirt who draws complex diagrams and flowcharts with a marker on [...]

    • Active Edition from 27.12.2006

    Name document"INFORMATION TECHNOLOGY. METHODS AND MEANS OF ENSURING SECURITY. MANAGEMENT SYSTEMS OF INFORMATION SECURITY. REQUIREMENTS. GOST R ISO / IEC 27001-2006" (approved by Order of Rostekhregulirovanie dated 27.12.2006 N 375-st)
    Type of documentorder, standard, gost, iso
    Host bodyRostechregulation
    Document NumberISO / IEC 27001-2006
    Date of adoption01.01.1970
    Date of revision27.12.2006
    Date of registration with the Ministry of Justice01.01.1970
    Statusacts
    Publication
    • At the time of inclusion in the database, the document was not published
    NavigatorNotes (edit)

    "INFORMATION TECHNOLOGY. METHODS AND MEANS OF ENSURING SECURITY. MANAGEMENT SYSTEMS OF INFORMATION SECURITY. REQUIREMENTS. GOST R ISO / IEC 27001-2006" (approved by Order of Rostekhregulirovanie dated 27.12.2006 N 375-st)

    8. Improving the information security management system

    8.1. Continuous improvement

    The organization shall continually improve the effectiveness of the ISMS by clarifying the IS policy, IS objectives, the use of audit results, analysis of controlled events, corrective and preventive actions, and management's use of the results of the ISMS analysis (see Clause 7).

    8.2. Corrective action

    The organization should take measures to eliminate the causes of nonconformities with the ISMS requirements in order to prevent their recurrence. A documented corrective action procedure should establish requirements for:

    a) identifying nonconformities;

    b) determining the causes of nonconformities;

    C) evaluating the need for action to avoid recurrence of nonconformities;

    d) identifying and implementing corrective actions needed;

    e) maintaining records of the results of actions taken (see 4.3.3);

    f) reviewing the corrective action taken.

    8.3. Preventive action

    The organization shall determine the actions necessary to eliminate the causes of potential nonconformities with the ISMS requirements in order to prevent their recurrence. The preventive actions taken must be commensurate with the consequences of the potential problems. A documented procedure for preventive action taken should establish requirements for:

    a) identifying potential nonconformities and their causes;

    b) evaluating the need for action to prevent the occurrence of nonconformities;

    c) determining and implementing the preventive action required;

    d) records of the results of the action taken (see 4.3.3);

    e) reviewing the results of the action taken.

    The organization shall identify changes in risk assessments and establish requirements for preventive action, while reversing Special attention on significantly changed quantitative indicators of risks.

    The priorities for the implementation of preventive actions should be determined based on the results of the risk assessment.

    NOTE In general, the cost of taking action to prevent nonconformities is more economical than corrective action.

    GOST R ISO / IEC 27001-2006 " Information technology... Methods and means of ensuring safety. Information security management systems. Requirements"

    The developers of the standard note that it was prepared as a model for the development, implementation, operation, monitoring, analysis, support and improvement of the information security management system (ISMS). ISMS (English - information security management system; ISMS) is defined as part of the overall management system based on the use of business risk assessment methods for the development, implementation, operation, monitoring, analysis, support and improvement of information security. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

    The standard assumes the use of a process approach for the development, implementation, operation, monitoring, analysis, support and improvement of the organization's ISMS. It is based on the Plan - Do - Check - Act (PDCA) model, which can be applied to structure all ISMS processes. In fig. 4.4 shows how the ISMS, using information security requirements and the expected results of interested parties as input, through the necessary actions and processes, provides information security results that meet these requirements and the expected results.

    Rice. 4.4.

    At the stage "Development of an information security management system" the organization should do the following:

    • - determine the scope and boundaries of the ISMS;
    • - determine the ISMS policy based on the characteristics of the business, organization, its location, assets and technologies;
    • - determine the approach to risk assessment in the organization;
    • - identify risks;
    • - analyze and assess risks;
    • - identify and evaluate different options for risk treatment;
    • - select objectives and controls for risk treatment;
    • - obtain management approval of the anticipated residual risks;
    • - Obtain permission from the management for the implementation and operation of the ISMS;
    • - prepare a Statement of Applicability.

    Stage " Implementation and operation of the information security management system " suggests that the organization should:

    • - develop a risk treatment plan that defines the appropriate management actions, resources, responsibilities and priorities for information security risk management;
    • - implement a risk treatment plan to achieve the intended management objectives, including financing issues, as well as the distribution of roles and responsibilities;
    • - implement the selected management measures;
    • - determine the way to measure the effectiveness of the selected control measures;
    • - implement training and professional development programs for employees;
    • - manage the work of the ISMS;
    • - manage ISMS resources;
    • - implement procedures and other control measures to ensure rapid detection of information security events and response to incidents related to information security.

    The third stage " Monitoring and analysis of the information security management system " requires:

    • - carry out monitoring and analysis procedures;
    • - conduct regular analysis of the effectiveness of the ISMS;
    • - measure the effectiveness of control measures to verify compliance with IS requirements;
    • - revise risk assessments at specified time periods, analyze residual risks and established acceptable risk levels, taking into account changes;
    • - conduct internal ISMS audits at specified time intervals;
    • - regularly conduct an analysis of the ISMS by the management of the organization in order to confirm the adequacy of the ss functioning and determine the directions for improvement;
    • - update IS plans taking into account the results of analysis and monitoring;
    • - register actions and events that can affect the effectiveness or operation of the ISMS.

    Finally, the stage "Maintaining and improving the information security management system" suggests that the organization should regularly conduct the following activities:

    • - identify opportunities for improving the ISMS;
    • - take the necessary corrective and preventive actions, use in practice the experience in ensuring information security, obtained both in own organization and in other organizations;
    • - transfer detailed information on actions to improve the ISMS to all interested parties, while the degree of its detail should correspond to the circumstances and, if necessary, agree on further actions;
    • - ensure the implementation of improvements to the ISMS to achieve the planned objectives.

    Further in the standard, the requirements for documentation are given, which should include the provisions of the ISMS policy and a description of the area of ​​operation, a description of the methodology and a risk assessment report, a risk treatment plan, and documentation of related procedures. A process for managing ISMS documents should also be defined, including updating, use, storage and disposal.

    The ISMS must be maintained and maintained in order to provide evidence of compliance with the requirements and the effective functioning of the ISMS. Accounts and records of the execution of processes. Examples include visitor logs, audit reports, etc.

    The standard specifies that the management of an organization is responsible for providing and managing the resources required to establish an ISMS and for organizing training for personnel.

    As previously noted, the organization should conduct internal ISMS audits in accordance with an approved schedule to assess its functionality and compliance with the standard. And the management should conduct an analysis of the information security management system.

    Also, work should be carried out to improve the information security management system: to increase its effectiveness and the level of compliance with the current state of the system and the requirements for it.

     

    It might be helpful to read: