A standard published by the [[ISO|ISO]]. This is the standard that deals with information security management. The full title of the document is "[[information security management system]] requirements". It specifies a sequence of steps an organisation must take in order to set up their [[information security management system|ISMS]]. It is fairly high level, and should be read with [[ISO 27002]], which functions as a catalogue of security controls that can be implemented as part of the [[information security management system|ISMS]]. It is possible to be certified against this standard. ## The standard ### Context of the organisation The organisation must identify all the interested parties (in the organisation? in the system, eg shareholders?) and their needs for cybersecurity. The scope of the [[information security management system|ISMS]] must be decided - that is, we must make a decision about what assets we want to protect. #### requirements 1. Understand relevant internal and external issues, such as laws and regulations 2. Identify interested stakeholders and their requirements 4. Determine the scope of the [[information security management system|ISMS]] and document it ### Leadership One requirement for leadership is, obviously, to show leadership. That is, there must be top level support for cybersecurity, and that must be communicated clearly through the organisation. Additionally, a top level security policy must be established, documented, and again disseminated to the organisation. Finally, roles and responsibilities for the [[information security management system|ISMS]], and reporting its performance, must be set up #### requirements 1. Demonstrate leadership in, and commitment to, security 2. establish and communicate a top-level security policy that includes a commitment to continual improvement 3. assign all security-relevant roles and responsibilities, including a recrusive/meta requirement that the ISMS meets the requirements for 27001 ### Planning An appropriate risk assessment process should be set up. Criteria should be decided for risk appetite, and consequently risk acceptance. Additionally a process should be agreed for risk treatment to cover selection of treatment options, selection of controls, and gaining acceptance of residual risks. #### requirements 1. Identify stakeholder requirements (which will hopefully lead on naturally from [[#Context of the organisation]]) 2. plan integration of risk management into the [[information security management system|ISMS]] and evaluating its effectiveness (why isn't this in [[#Performance evaluation]]?) 3. defining a [[risk management]] process capable of giving consistent results 4. defining a risk treatment process, including how to select [[control|security controls]] 5. define how to produce a [[Statement of Applicability]] 6. define how to obtain acceptance of residual risk from risk owners 7. define information security objectives/KPIs ### Support Sufficient support (in material terms) must be provided to the ISMS. That is, the staff must be qualified, and that every employee has a good idea of the awareness of security policies and the ISMS #### requirements 1. the organisation must provide all necessary resources for the operation of the [[information security management system|ISMS]] 2. ensure that personnel with appropriate competences are assigned manage the [[information security management system|ISMS]] 3. ensure all staff are aware of the security policy and their security obligations 4. determine the need for internal and external communications relevant to the [[information security management system|ISMS]] 5. actually draft the documenation relevant to [[ISO 27001|ISO/IEC 27001]] 6. this documentation should be identified and protected 1. against what? against whom? ### Operation The organisation, implementation and control of the process. #### requirements 1. the organisation must document the implementation of all steps, with enoguh clarity to enable them to be audited 2. any changes to plans must be controlled and reviewed 3. any outsourced processes must be controlled 4. risk assessments must be conducted and documented: both at regular intervals and exceptionally, when there's a need, or when some significant change has happened 5. the plan for risk treatments must be implemented ### Performance evaluation Firstly, that the organisation itself is reviewing the effectiveness of its ISMS. Secondly, that there are periodic audits (remember that retrosespectives and reviews are not equivalent to audits!) of the ISMS. #### requirements 1. the organisation should evaluate the effectiveness of its [[information security management system|ISMS]] 2. there should be an analysis of which controls should be monitored and measured 3. the methods for monitoring and analysis 4. the organisation has to figure out the frequency of monitoring, who should do it, and how the results should be analysed 5. the organisation should construct an audit programme. This programme should audit the entire ISMS and document the results 6. the ISMS should be reviewed regularly (??) to ensure it still meets its goals ### Improvement The organisation must have the capacity to react to security breaches, including fixing the immediate breach, conducting root cause analysis, and modifying the ISMS to prevent recurrence if possible. #### requirements 1. react to issues with the [[information security management system|ISMS]], remediate the consequences, and make changes to the ISMS 2. these issues, and the remediations, must be documented