Information security management systems examples. Creation of an information security management system (smib). Information security management system

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

"Information Security Management System"

management international standard

Vconducting

An information security management system is a set of processes that work in a company to ensure the confidentiality, integrity and availability of information assets. The first part of the essay examines the process of implementing a management system in an organization, and also provides the main aspects of the benefits of implementing an information security management system.

Fig. 1. Control cycle

The list of processes and recommendations on how best to organize their functioning are given in the international standard ISO 27001: 2005, which is based on the Plan-Do-Check-Act management cycle. In accordance with it, the life cycle of an ISMS consists of four types of activities: Creation - Implementation and operation - Monitoring and analysis - Maintenance and improvement (Fig. 1). This standard will be discussed in more detail in the second part.

WITHsystemmanagementinformationsecurity

An information security management system (ISMS) is that part of the overall management system that is based on a business risk approach in the creation, implementation, operation, monitoring, analysis, support and improvement of information security. ISMS processes are designed in accordance with the requirements of ISO / IEC 27001: 2005, which is based on the cycle

The work of the system is based on the approaches of the modern theory of management risks, which ensures its integration into the overall risk management system of the organization.

The implementation of an information security management system implies the development and implementation of a procedure aimed at systematic identification, analysis and mitigation of information security risks, that is, risks as a result of which information assets (information in any form and of any nature) will lose confidentiality, integrity and availability.

To ensure systematic mitigation of information security risks, based on the results of the risk assessment, the following processes are being implemented in the organization:

· Management of the internal organization of information security.

· Ensuring information security when interacting with third parties.

· Management of the register of information assets and the rules for their classification.

· Equipment safety management.

· Ensuring physical security.

· Ensuring information security of personnel.

· Planning and adoption of information systems.

· Backup.

· Securing the network.

Information security management system processes affect all aspects of the organization's IT infrastructure management, since information security is the result of the sustainable functioning of information technology-related processes.

When building an ISMS in companies, specialists carry out the following work:

· Organize project management, form a project group on the part of the customer and the contractor;

· Define the area of ​​activity (OD) of the ISMS;

Survey the organization in the OD ISMS:

o in terms of the organization's business processes, including the analysis of the negative consequences of information security incidents;

o in terms of the organization's management processes, including the existing quality management and information security management processes;

o in terms of IT infrastructure;

o in terms of information security infrastructure.

Develop and agree on an analytical report containing a list of the main business processes and an assessment of the consequences of the implementation of information security threats in relation to them, a list of management processes, IT systems, information security subsystems (ISS), an assessment of the degree to which the organization fulfills all ISO 27001 requirements and an assessment of the maturity of processes organizations;

· Select the initial and target ISMS maturity level, develop and approve the ISMS Maturity Improvement Program; develop high-level information security documentation:

o Concept of information security,

o IS and ISMS policies;

· Select and adapt the risk assessment methodology applicable in the organization;

· Select, supply and deploy software used to automate ISMS processes, organize training for company specialists;

· Assess and process risks, during which, to reduce them, the measures of Appendix A of standard 27001 are selected and requirements for their implementation in the organization are formulated, technical means of information security are pre-selected;

· Develop preliminary designs of the PIB, assess the cost of risk treatment;

· Arrange for the approval of the risk assessment by the top management of the organization and develop the Statement of Applicability; develop organizational measures to ensure information security;

· Develop and implement technical projects for the implementation of technical information security subsystems that support the implementation of the selected measures, including the supply of equipment, commissioning, development of operational documentation and user training;

· Provide consultations during the operation of the constructed ISMS;

· Organize training for internal auditors and conduct internal ISMS audits.

The result of these works is a functioning ISMS. Benefits from the implementation of an ISMS in a company are achieved through:

· Effective management of compliance with legal requirements and business requirements in the field of information security;

· Prevention of IS incidents and damage reduction in case of their occurrence;

· Increasing the culture of information security in the organization;

· Increasing maturity in the field of information security management;

· Optimization of spending on information security.

ISO / IEC27001-- internationalstandardoninformationsecurity

This standard was developed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard contains information security requirements for the creation, development and maintenance of an ISMS. ISO 27001 specifies requirements for an ISMS to demonstrate the ability of an organization to protect its information assets. The international standard uses the concept of "information security" and is interpreted as ensuring the confidentiality, integrity and availability of information. The basis of the standard is the information risk management system. This standard can also be used to assess conformity by interested internal and external parties.

The standard adopts a process approach to create, implement, operate, continuously monitor, analyze, maintain and improve an information security management system (ISMS). It consists in the application of a system of processes within an organization, together with the identification and interaction of these processes, as well as their management.

The international standard adopts the Plan-Do-Check-Act (PDCA) model, which is also called the Shewhart-Deming cycle. This cycle is used to structure all ISMS processes. Figure 2 shows how the ISMS takes information security requirements and stakeholder expectations as inputs and through the necessary actions and processes produces information security outcomes that meet those requirements and expectations.

Planning is the phase of creating an ISMS, creating an inventory of assets, assessing risks and choosing measures.

Figure 2. PDCA model applied to ISMS processes

Implementation is the stage of implementation and implementation of appropriate measures.

Review is the phase of evaluating the effectiveness and performance of the ISMS. Usually performed by internal auditors.

Action - Taking preventive and corrective actions.

Vconclusions

ISO 27001 describes a general model for the implementation and operation of an ISMS and actions to monitor and improve an ISMS. ISO intends to harmonize various management system standards such as ISO / IEC 9001: 2000, which deals with quality management, and ISO / IEC 14001: 2004, which deals with environmental management systems. The goal of ISO is to ensure consistency and integration of the ISMS with other management systems in the company. The similarity of standards allows the use of similar tools and functionality for implementation, management, revision, verification and certification. The implication is that if a company has implemented other management standards, it can use a unified audit and management system that is applicable to quality management, environmental management, safety management, etc. By implementing an ISMS, senior management gains the means to monitor and manage security, which reduces residual business risks. After implementing an ISMS, the company can formally ensure the security of information and continue to comply with the requirements of customers, legislation, regulators and shareholders.

It should be noted that in the legislation of the Russian Federation there is a document GOST R ISO / IEC 27001-2006, which is a translated version of the international standard ISO27001.

WITHsqueakliterature

1.Korneev I.R., Belyaev A.V. Information security of the enterprise. - SPb .: BHV-Petersburg, 2003 .-- 752 p .: ill.

2.International standard ISO 27001 (http://www.specon.ru/files/ISO27001.pdf) (date of access: 05/23/12)

3. National standard of the Russian Federation GOST R ISO / IEC 27003 - "Information technology. Security methods. Guidelines for the implementation of the Information Security Management System" (http://niisokb.ru/news/documents/IDT%20ISO%20IEC%2027003- 2011-09-14.pdf) (date accessed: 23.05.12)

4. Skiba V.Yu., Kurbatov V.A. Guidelines for protecting against internal threats to information security. SPb .: Peter, 2008 .-- 320 p .: ill.

5. Article of the free encyclopedia "Wikipedia", "Management system

information security "(http://ru.wikipedia.org/wiki/%D0%A1%D0%9C%D0%98%D0%91) (date accessed: 23.05.12)

6. Sigurjon Thor Arnason and Keith D. Willett "How to Achieve 27001 Certification"

Posted on Allbest.ru

Similar documents

Information security threats in the enterprise. Identification of shortcomings in the information security system. The goals and objectives of the formation of the information security system. Proposed measures to improve the organization's information security system.

term paper added 02/03/2011


Analysis of the information security system at the enterprise. Information Security Service. Enterprise-specific information security threats. Methods and means of information protection. Information system model from a security perspective.

term paper added 02/03/2011


The main stages of creating a management system at a food industry enterprise. HACCP as the backbone of any food safety management system. Food safety management system. Dangerous factors and preventive actions.

abstract added on 10/14/2014


Modern management systems and their integration. Integrated quality management systems. Description of JSC "275 ARZ" and its management system. Development of a labor protection management system. Methods for assessing an integrated security system.

thesis, added 07/31/2011


Implementation of a quality management system. Certification of quality management systems (ISO 9000), environmental management (ISO 14000), health and safety management systems of organizations (OHSAS 18 001: 2007) on the example of OJSC "Lenta".

abstract added on 10/06/2008


Development of a standard for organizing an integrated management system that establishes a unified procedure for the implementation of the document management process. Stages of creation of the quality management system of JSC "ZSMK". Placement of electronic versions of documents.

thesis, added 06/01/2014


Hierarchical diagram of employees. Information security tools. Security questions. Diagram of enterprise information flows. Methods for monitoring the integrity of the information system. Modeling access control to service information.

term paper, added 12/30/2011


The concept of a management information system and its place in the general management system. Types of information systems and their content. The concept of management as an information system. Financial management system functions. Systems for making deals and operations.

abstract added on 01/06/2015


Concepts in the field of health and safety at work. ISO international standards on quality management systems, environmental management systems, occupational safety and health management systems. Adaptation of the OHSAS 18001-2007 standard.

term paper added 12/21/2014


Information management characteristics; subjects of information and legal relations; legal regime for receiving, transferring, storing and using information. Features and legal aspects of information exchange and information security.

Really embarrassing. We informed about the imminent release of the ISO 45001 standard, which should replace the current OHSAS 18001 occupational safety management standard, we said that we should wait for it at the end of 2016 ... Midnight is approaching, but Herman is still gone. Time to admit - ISO 45001 is on hold. True, for good reasons. The expert community has too many questions for him. […]

GOST R ISO / IEC 27001-2006 “Information technology. Methods and means of ensuring safety. Information security management systems. Requirements"

The developers of the standard note that it was prepared as a model for the development, implementation, operation, monitoring, analysis, support and improvement of the information security management system (ISMS). ISMS (English - information security management system; ISMS) is defined as part of the overall management system based on the use of business risk assessment methods for the development, implementation, operation, monitoring, analysis, support and improvement of information security. The management system includes the organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

The standard assumes the use of a process approach for the development, implementation, operation, monitoring, analysis, support and improvement of the organization's ISMS. It is based on the Plan - Do - Check - Act (PDCA) model, which can be applied to structure all ISMS processes. In fig. 4.4 shows how the ISMS, using information security requirements and the expected results of interested parties as input, through the necessary actions and processes, provides information security results that meet these requirements and the expected results.

Rice. 4.4.

At the stage "Development of an information security management system" the organization should do the following:

• - determine the scope and boundaries of the ISMS;
• - determine the ISMS policy based on the characteristics of the business, organization, its location, assets and technologies;
• - determine the approach to risk assessment in the organization;
• - identify risks;
• - analyze and assess risks;
• - identify and evaluate different options for risk treatment;
• - select objectives and controls for risk treatment;
• - obtain management approval of the anticipated residual risks;
• - Obtain permission from the management for the implementation and operation of the ISMS;
• - prepare a Statement of Applicability.

Stage " Implementation and operation of the information security management system " suggests that the organization should:

• - develop a risk treatment plan that defines the appropriate management actions, resources, responsibilities and priorities for information security risk management;
• - implement a risk treatment plan to achieve the intended management objectives, including financing issues, as well as the distribution of roles and responsibilities;
• - implement the selected management measures;
• - determine the way to measure the effectiveness of the selected control measures;
• - implement training and professional development programs for employees;
• - manage the work of the ISMS;
• - manage ISMS resources;
• - implement procedures and other control measures to ensure rapid detection of information security events and response to incidents related to information security.

The third stage " Monitoring and analysis of the information security management system " requires:

• - carry out monitoring and analysis procedures;
• - conduct regular analysis of the effectiveness of the ISMS;
• - measure the effectiveness of control measures to verify compliance with IS requirements;
• - revise risk assessments at specified time periods, analyze residual risks and established acceptable risk levels, taking into account changes;
• - conduct internal ISMS audits at specified time intervals;
• - regularly conduct an analysis of the ISMS by the management of the organization in order to confirm the adequacy of the ss functioning and determine the directions for improvement;
• - update IS plans taking into account the results of analysis and monitoring;
• - register actions and events that can affect the effectiveness or operation of the ISMS.

Finally, the stage "Maintaining and improving the information security management system" suggests that the organization should regularly conduct the following activities:

• - identify opportunities for improving the ISMS;
• - take the necessary corrective and preventive actions, use in practice the experience in ensuring information security, obtained both in their own organization and in other organizations;
• - transmit detailed information on actions to improve the ISMS to all interested parties, while the degree of its detail should correspond to the circumstances and, if necessary, agree on further actions;
• - ensure the implementation of improvements to the ISMS to achieve the planned objectives.

Further in the standard, the requirements for documentation are given, which should include the provisions of the ISMS policy and a description of the area of ​​operation, a description of the methodology and a risk assessment report, a risk treatment plan, and documentation of related procedures. A process for managing ISMS documents should also be defined, including updating, use, storage and disposal.

To provide evidence of compliance with the requirements and the effectiveness of the functioning of the ISMS, it is necessary to maintain and maintain records and records of the execution of processes. Examples include visitor logs, audit reports, etc.

The standard specifies that the management of an organization is responsible for providing and managing the resources required to establish an ISMS and for organizing training for personnel.

As previously noted, the organization should conduct internal ISMS audits in accordance with an approved schedule to assess its functionality and compliance with the standard. And the management should conduct an analysis of the information security management system.

Also, work should be carried out to improve the information security management system: to increase its effectiveness and the level of compliance with the current state of the system and the requirements for it.

The BS ISO / IEC 27001: 2005 standard describes an information security management system (ISMS) model and proposes a set of requirements for organizing information security in an enterprise without reference to the implementation methods that are chosen by the organization's executors.

Check - The phase of evaluating the effectiveness and performance of the ISMS. Usually performed by internal auditors.

The decision on the creation (and subsequent certification) of an ISMS is taken by the top management of the organization. This demonstrates management support and reaffirmation of the value of the ISMS to the business. The organization's management initiates the creation of an ISMS planning team.

The group responsible for planning the ISMS should include:

· Representatives of the top management of the organization;

· Representatives of business units covered by the ISMS;

· Specialists of information security departments;

· Third-party consultants (if necessary).

The IS Committee provides support for the operation of the ISMS and its continuous improvement.

The working group should be guided by the regulatory and methodological framework, both in relation to the creation of an ISMS, and related to the field of activity of the organization, and, of course, by the general system of state laws.

Regulatory framework for creating an ISMS:

· ISO / IEC 27000: 2009 Vocabulary and definitions.

· ISO / IEC 27001: 2005 General requirements for an ISMS.

· ISO / IEC 27002: 2005 Practical Guide for Information Security Management.

· ISO / IEC 27003: 2010 Practical guidance for the implementation of an ISMS.

· ISO / IEC 27004: 2009 Metrics (Measurements) of information security.

· ISO / IEC 27005: 2011 Guidelines for information security risk management.

ISO / IEC Guide 73: 2002, Risk management - Vocabulary - Guidelines for use in standards.

ISO / IEC 13335-1: 2004, Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security managment.

ISO / IEC TR 18044 Information technology - Security techniques - Information security incident management.

ISO / IEC 19011: 2002 Guidelines for quality and / or environmental management systems auditing.

· British Standards Institution ISMS Methodology Series (formerly PD 3000 Series Documents).

The process of creating an ISMS consists of 4 stages:

Stage 1. Planning an ISMS.

Establishing policies, objectives, processes and procedures related to risk management and information protection in accordance with the overall policy and objectives of the organization.

a) Determining the scope and boundaries of the ISMS:

· Description of the type of activity and business goals of the organization;

· An indication of the boundaries of the systems covered by the ISMS;

· Description of the organization's assets (types of information resources, software and hardware, personnel and organizational structure);

· Description of business processes using the protected information.

A description of the system boundaries includes:

Description of the existing structure of the organization (with possible changes that may arise in connection with the development of the information system).

Information system resources to be protected (computers, information, system and application software). To assess them, a system of criteria and a methodology for obtaining assessments according to these criteria (categorization) should be selected.

Information processing technology and tasks to be solved. For the tasks to be solved, information processing models should be built in terms of resources.

Diagram of the organization's information system and supporting infrastructure.

As a rule, at this stage, a document is drawn up in which the boundaries of the information system are fixed, the information resources of the company to be protected are listed, a system of criteria and methods for assessing the value of the company's information assets is provided.

b) Definition of the organization's ISMS policy (expanded version of the ISS).

· Objectives, directions and principles of activity in relation to information protection;

· Description of the strategy (approaches) of risk management in the organization, structuring of countermeasures to protect information by type (legal, organizational, hardware and software, engineering and technical);

· Description of the criteria for the significance of the risk;

· The position of the management, determination of the frequency of meetings on the topic of information security at the management level, including periodic revision of the provisions of the information security policy, as well as the procedure for training all categories of users of the information system on information security.

c) Determining the approach to risk assessment in the organization.

The risk assessment methodology is selected depending on the ISMS, established business information security requirements, legal and regulatory requirements.

The choice of the risk assessment methodology depends on the level of requirements for the information security regime in the organization, the nature of the threats taken into account (the spectrum of threat impact) and the effectiveness of potential countermeasures to protect information. In particular, a distinction is made between basic and increased or complete requirements for the information security mode.

The basic information security level corresponds to the minimum requirements for the IS mode. Such requirements apply, as a rule, to typical design solutions. There are a number of standards and specifications that consider the minimum (typical) set of the most likely threats, such as: viruses, equipment failures, unauthorized access, etc. To neutralize these threats, countermeasures must be taken, regardless of the likelihood of their implementation and vulnerability resources. Thus, it is not necessary to consider the characteristics of threats at a basic level. Foreign standards in this area ISO 27002, BSI, NIST, etc.

In cases where violations of the IB regime lead to serious consequences, additional requirements are imposed.

To formulate additional increased requirements, you must:

Determine the value of resources;

Add to the standard set a list of threats that are relevant to the studied information system;

Assess the likelihood of threats;

Determine resource vulnerabilities;

Assess the potential damage from the effects of intruders.

It is necessary to find a risk assessment methodology that can be used with minimal changes on an ongoing basis. There are two ways: to use existing methods and tools for risk assessment on the market, or to create your own methodology, adapted to the specifics of the company and the area of ​​activity covered by the ISMS.

The latter option is the most preferable, since so far most of the products on the market that implement one or another risk analysis methodology do not meet the requirements of the Standard. Typical disadvantages of such techniques are:

· A standard set of threats and vulnerabilities that are often impossible to change;

· Acceptance as assets only of software, hardware and information resources - without considering human resources, services and other important resources;

· The overall complexity of the methodology in terms of its sustainable and repeatable use.

· Criteria for accepting risks and acceptable levels of risk (should be based on the achievement of the strategic, organizational and management objectives of the organization).

d) Risk identification.

Identification of assets and their owners

Informational input data;

Informational output;

Information records;

Resources: people, infrastructure, hardware, software, tools, services.

· Identification of threats (standards for risk assessment often suggest classes of threats that can be supplemented and expanded).

· Identification of vulnerabilities (there are also lists of the most common vulnerabilities that you can rely on when analyzing your organization).

· Determination of the value of assets (possible consequences from loss of confidentiality, integrity and availability of assets). Information about the value of an asset can be obtained from its owner or from a person to whom the owner has delegated all the authority over this asset, including ensuring its security.

e) Risk assessment.

· Assessment of the damage that can be caused to the business from the loss of confidentiality, integrity and availability of assets.

· Assessment of the likelihood of the implementation of threats through existing vulnerabilities, taking into account the available IS management tools and assessing the possible damage caused;

· Determination of the level of risk.

Application of risk acceptance criteria (acceptable / requiring treatment).

f) Risk treatment (in accordance with the selected risk management strategy).

Possible actions:

Passive actions:

Risk acceptance (decision on the acceptability of the resulting level of risk);

Risk evasion (a decision to change the activity that causes a given level of risk - moving the web server outside the local network);

Active actions:

Reducing the risk (using organizational and technical countermeasures);

Risk transfer (insurance (fire, theft, software bugs)).

The choice of possible actions depends on the accepted risk criteria (an acceptable level of risk is set, levels of risk that can be reduced by means of information security management, levels of risk at which it is recommended to abandon or transform the type of activity that causes it, and risks that it is desirable to transfer to other parties) ...

g) Selecting objectives and controls for risk treatment.

Goals and controls should implement the risk management strategy, take into account the criteria for accepting risks and legal, regulatory and other requirements.

ISO 27001-2005 provides a list of objectives and controls as a basis for building a risk treatment plan (ISMS requirements).

The risk treatment plan contains a list of priority measures to reduce risk levels, indicating:

· Persons responsible for the implementation of these measures and funds;

· Terms of implementation of activities and priorities for their implementation;

· Resources for the implementation of such activities;

· Levels of residual risks after the implementation of measures and controls.

The top management of the organization is responsible for the adoption and oversight of the risk treatment plan. The fulfillment of the key activities of the plan is a criterion for making a decision on putting the ISMS into operation.

At this stage, the rationale for the choice of various countermeasures for IS are made, structured according to the regulatory, organizational, managerial, technological and hardware and software levels of information security. (Further, a set of countermeasures is implemented in accordance with the selected information risk management strategy). With the full version of the risk analysis, the effectiveness of countermeasures is additionally assessed for each risk.

h) Management approval of the proposed residual risk.

i) Obtain management approval for the implementation and commissioning of the ISMS.

j) Statement of Applicability (in accordance with ISO 27001-2005).

The date the ISMS is put into operation is the date when the company's top management approves the Statement of Applicability of Controls, which describes the objectives and means chosen by the organization to manage risks:

· The controls and controls selected during the risk treatment stage;

· Already existing in the organization means of management and control;

· Means to ensure compliance with legal requirements and requirements of regulatory organizations;

· Means to ensure the fulfillment of customer requirements;

· Means ensuring the fulfillment of general corporate requirements;

· Any other appropriate means of management and control.

Stage 2. Implementation and operation of the ISMS.

To implement and operate the information security policy, controls, processes and procedures in the field of information security, the following actions are performed:

a) Development of a risk treatment plan (description of planned controls, resources (software, hardware, personnel) that are required for their implementation, support, control, and management responsibilities for information security risk management (development of documents at the planning stage, support of information security objectives, determination roles and responsibilities, providing the necessary resources to establish an ISMS, auditing and reviewing).

b) Allocation of funding, roles and responsibilities for the implementation of the risk treatment plan.

c) Implementation of planned controls.

d) Establishment of performance benchmarks (metrics) of controls, methods of their measurement, which will provide comparable and reproducible results.

e) Improvement of qualifications, awareness of personnel in the field of information security in accordance with their job responsibilities.

f) Managing the operation of the ISMS, managing resources to maintain, monitor and improve the ISMS.

g) Implementation of procedures and other controls for rapid detection and response to information security incidents.

Stage 3: Continuous monitoring and analysis of the functioning of the ISMS.

This stage involves assessing or measuring key performance indicators of processes, analyzing the results and providing reports to management for analysis and includes:

a) Conducting continuous monitoring and analysis (allows you to quickly detect errors in the functioning of the ISMS, quickly identify and respond to security incidents, delineate the roles of personnel and automated systems in the ISMS, prevent security incidents by analyzing unusual behavior, and determine the effectiveness of processing security incidents).

b) Conducting a regular review of the effectiveness of the ISMS (reviewing compliance with the ISMS policy and objectives, audits, key performance indicators, proposals and stakeholder responses).

c) Measuring the effectiveness of controls to verify that security requirements are being met

d) Periodic reassessment of risks, analysis of residual risks and determination of acceptable levels of risk for any changes in the organization (business goals and processes, identified threats, newly identified vulnerabilities, etc.)

e) Periodic internal audits of the ISMS.

ISMS audit - checking the compliance of the selected countermeasures with the goals and objectives of the business declared in the organization's IS, based on its results, residual risks are assessed and, if necessary, optimized.

f) Regular review of the scope and trend of the ISMS by management.

g) Updating risk management plans to capture monitoring and review results.

h) Maintaining a log of events that have a negative impact on the effectiveness or quality of the ISMS.

Stage 4. Maintaining and improving the ISMS.

Based on the results of the internal ISMS audit and management analysis, corrective and preventive actions are developed and implemented to continuously improve the ISMS:

a) Improvement of information security policy, information security objectives, audit, analysis of observed events.

b) Development and implementation of corrective and preventive actions to eliminate non-compliance with the ISMS requirements.

c) Monitoring improvements to the ISMS.

Conclusion

ISO 27001 describes a general model for the implementation and operation of an ISMS and actions to monitor and improve an ISMS. ISO intends to harmonize various management system standards such as ISO / IEC 9001: 2000, which deals with quality management, and ISO / IEC 14001: 2004, which deals with environmental management systems. The goal of ISO is to ensure consistency and integration of the ISMS with other management systems in the company. The similarity of standards allows the use of similar tools and functionality for implementation, management, revision, verification and certification. The implication is that if a company has implemented other management standards, it can use a unified audit and management system that is applicable to quality management, environmental management, safety management, etc. By implementing an ISMS, senior management gains the means to monitor and manage security, which reduces residual business risks. After implementing an ISMS, the company can formally ensure the security of information and continue to comply with the requirements of customers, legislation, regulators and shareholders.

It should be noted that in the legislation of the Russian Federation there is a document GOST R ISO / IEC 27001-2006, which is a translated version of the international standard ISO27001.

Bibliography

1.Korneev I.R., Belyaev A.V. Information security of the enterprise. - SPb .: BHV-Petersburg, 2003 .-- 752 p.

2.International standard ISO 27001

(http://www.specon.ru/files/ISO27001.pdf) (date of access: 05/23/12).

3. National standard of the Russian Federation GOST R ISO / IEC 27003 - "Information technology. Methods of ensuring security. Guidelines for the implementation of Information Security Management System

(http://niisokb.ru/news/documents/IDT%20ISO%20IEC%2027003-2011-09-14.pdf) (date accessed: 23.05.12).

4. Skiba V.Yu., Kurbatov V.A. Guidelines for protecting against internal threats to information security. SPb .: Peter, 2008 .-- 320 p.

An information security management system is a part of an overall management system based on the use of business risk assessment methods for the development, implementation, operation, monitoring, analysis, support and improvement of information security.

The management system includes the organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources. [GOST R ISO / IEC 27001-2006]

The ISO 27001 standard defines the requirements for an information security management system (ISMS). The requirements of the standard are to a certain extent abstract and not tied to the specifics of any area of ​​the company's activity.

The development of information systems in the early 90s led to the need to create a security management standard. At the request of the UK Government and Industry, the UK Department of Trade and Industry has developed ISMS Practices.

The initial BS 7799 standard has come a long way with a series of tests and adjustments. The most important stage in his "career" was in 2005, when the standard for evaluating an ISMS was recognized as international (that is, the consistency of its requirements for a modern ISMS was confirmed). From that moment on, leading enterprises around the world began to actively implement the ISO 27001 standard and prepare for certification.

ISMS structure

A modern ISMS is a process-oriented management system that includes organizational, documentary, and software and hardware components. The following "views" on the ISMS can be distinguished: process, documentary and maturity.

ISMS processes are created in accordance with the requirements of the ISO / IEC 27001: 2005 standard, which is based on the Plan-Do-Check-Act management cycle. In accordance with it, the life cycle of an ISMS consists of four types of activities: Creation - Implementation and operation - Monitoring and analysis - Maintenance and improvement. The documented ISMS processes ensure that all the requirements of standard 27001 are met.

The ISMS documentation consists of policies, documented procedures, standards and records and is divided into two parts: the ISMS management documentation and the ISMS operational documentation.

The ISMS maturity model determines the detail of the developed documentation and the degree of automation of the ISMS management and operation processes. The CobiT maturity model is used in assessment and planning. The ISMS Maturity Improvement Program provides the composition and timing of measures to improve the IS management processes and management of the operation of IS facilities.

The standard proposes the application of the PDCA (Plan-Do-Check-Act) model to the ISMS life cycle, which includes the development, implementation, operation, control, analysis, support and improvement (Figure 1).

Plan - the phase of creating an ISMS, creating a list of assets, risk assessment and selection of measures;

Do (Action) - the stage of implementation and implementation of the relevant measures;

Check - The phase of evaluating the effectiveness and efficiency of the ISMS. Usually performed by internal auditors.

Act (Improvements) - Take preventive and corrective actions.

The process of creating an ISMS consists of 4 stages:

A planning process that aims to identify, analyze and design ways to handle information security risks. When creating this process, a methodology should be developed for categorizing information assets and a formal risk assessment based on data on threats and vulnerabilities that are relevant to the information infrastructure under consideration. With regard to the PCI DSS audit area, two types of valuable information assets with different levels of criticality can be distinguished - cardholder data and critical authentication data.

The process of implementing planned risk treatment methods, describing the procedure for starting a new information security process, or modernizing an existing one. Particular attention should be paid to describing roles and responsibilities, and planning for implementation.

The process of monitoring the functioning ISMS processes (it is worth noting that both ISMS processes and the ISMS itself are subject to monitoring of effectiveness - after all, four management processes are not granite sculptures, and self-actualization is applicable to them).

The process of improving the ISMS processes in accordance with the monitoring results, which makes it possible to implement corrective and preventive actions.

If built in accordance with the requirements of ISO / IEC_27001, it is based on the PDCA model:

Plan(Planning) - the phase of creating an ISMS, creating a list of assets, risk assessment and selection of measures;

Do(Action) - the stage of implementation and implementation of appropriate measures;

Check(Verification) - The phase of evaluating the effectiveness and performance of the ISMS. Usually performed by internal auditors.

Act(Improvements) - implementation of preventive and corrective actions;

Information security concept

The ISO 27001 standard defines information security as: “maintaining the confidentiality, integrity and availability of information; in addition, other properties can be included, such as authenticity, non-repudiation, reliability. "

Confidentiality - ensuring the availability of information only for those who have the appropriate authority (authorized users).

Integrity - ensuring the accuracy and completeness of information, as well as methods of its processing.

Availability - providing access to information to authorized users, when necessary (on demand).

4 Information security management system

4.1 General requirements

The organization shall establish, implement, use, control, revise, maintain and improve the documented ISMS provisions throughout the organization's business activities and the risks it faces. For the practical benefit of this International Standard, the process used is based on the PDCA model shown in Fig. 1.

4.2 Establishing and managing an ISMS

4.2.1 Creating an ISMS

The organization should do the following.

a) Taking into account the specifics of the organization's activities, the organization itself, its location, assets and technology, determine the scope and boundaries of the ISMS, including details and justifications for excluding any provisions of the document from the draft ISMS (see 1.2).

b) Taking into account the specifics of the organization's activities, the organization itself, its location, assets and technology, develop an ISMS policy that:

1) includes a system for setting goals (objectives) and establishes the general direction of management and principles of action regarding information security;

2) takes into account business and legal or regulatory requirements, contractual security obligations;

3) is attached to a strategic risk management environment in which the creation and maintenance of an ISMS takes place;

4) establishes the criteria against which the risk will be assessed (see 4.2.1 c)); and

5) approved by the management.

NOTE: For the purposes of this International Standard, an ISMS policy is an extended set of information security policies. These policies can be described in one document.

c) Develop a framework for risk assessment in the organization.

1) Determine a risk assessment methodology that is appropriate for the ISMS and established business information security, legal and regulatory requirements.

2) Develop criteria for accepting risk and determine acceptable levels of risk (see 5.1f).

The risk assessment methodology chosen should ensure that the risk assessment produces comparable and reproducible results.

NOTE: There are different risk assessment methodologies. Examples of risk assessment methodologies are considered in ISO / IEC TU 13335-3, Information Technology - Management RecommendationsITSecurity - Management TechniquesITSecurity.

d) Identify risks.

1) Define assets within the scope of the ISMS, and owners2 (2 The term "owner" is identified with an individual or entity that is approved to be responsible for overseeing the production, development, maintenance, use and security of assets. The term "owner" does not mean that a person does have any ownership rights to the asset) of these assets.

2) Identify the hazards to these assets.

3) Identify vulnerabilities in the protection system.

4) Identify impacts that destroy the confidentiality, integrity and availability of assets.

e) Analyze and assess risks.

1) Assess the damage to the organization's business that can be caused by the failure of the protection system, as well as a consequence of the violation of confidentiality, integrity, or availability of assets.

2) Determine the likelihood of security failure in light of the prevailing hazards and vulnerabilities, asset-related impacts and controls currently in place.

3) Assess the levels of risk.

4) Determine the acceptability of the risk, or require it to be reduced, using the risk acceptability criteria set out in 4.2.1c) 2).

f) Identify and evaluate instruments for risk reduction.

Possible actions include:

1) Application of suitable controls;

2) Conscious and objective acceptance of risks, ensuring their unconditional compliance with the requirements of the organization's policy and the criteria for risk tolerance (see 4.2.1c) 2));

3) Risk avoidance; and

4) Transfer of relevant business risks to another party, for example, insurance companies, suppliers.

g) Select tasks and controls to mitigate risks.

Objectives and controls should be selected and implemented in accordance with the requirements established by the risk assessment and risk reduction process. This selection should consider both the criteria for risk acceptability (see 4.2.1c) 2)) and legal, regulatory and contractual requirements.

The tasks and controls from Appendix A should be selected as part of this process to meet specified requirements.

Since not all tasks and controls are listed in Appendix A, additional tasks may be selected.

NOTE: Appendix A contains a comprehensive list of management objectives that have been identified as most relevant to organizations. In order not to miss a single important point from the control options, using this International Standard should be guided by Appendix A as the starting point for sampling control.

h) Achieve approval of the management of the anticipated residual risks.

4) facilitate the detection of security events and thus, using defined indicators, prevent security incidents; and

5) determine the effectiveness of the actions taken to prevent security breaches.

b) Conduct regular reviews of the effectiveness of the ISMS (including discussion of the ISMS policy and its objectives, review of security controls), taking into account the results of audits, incidents, performance measurements, suggestions and recommendations of all interested parties.

c) Evaluate the effectiveness of controls to determine if safety requirements are being met.

d) Check the risk assessment against planned periods and check residual risks and risk tolerances, taking into account changes in:

1) organizations;

2) technology;

3) business goals and processes;

4) identified threats;

5) the effectiveness of the implemented management tools; and

6) external events, such as changes in the legal and management environment, changed contractual obligations, changes in the social climate.

e) Conduct internal audits of the ISMS during planned periods (see 6)

NOTE: Internal audits, sometimes called primary audits, are conducted on behalf of the organization itself for its own purposes.

f) Review the management of the ISMS on a regular basis to ensure that the situation remains valid and that the ISMS is being improved.

g) Update security plans based on monitoring and audit findings.

h) Record actions and events that could affect the effectiveness or performance of the ISMS (see 4.3.3).

4.2.4 Maintaining and improving the ISMS

The organization must continually do the following.

a) Implement specific fixes in the ISMS.

b) Take appropriate corrective and preventive action in accordance with 8.2 and 8.3. Apply the knowledge gained by the organization itself and from the experience of other organizations.

c) Communicate their actions and improvements to all interested parties in a level of detail appropriate to the situation; and, accordingly, coordinate their actions.

d) Verify that the improvements have achieved their intended purpose.

4.3 Documentation requirements

4.3.1 General

The documentation should include protocols (records) of management decisions, to convince that the need for action is due to decisions and management policies; and to assure the reproducibility of the recorded results.

It is important to be able to demonstrate the feedback of the selected controls to the results of the risk assessment and risk reduction processes, and further to the ISMS policy and its objectives.

The ISMS documentation should include:

a) a documented statement of the ISMS policy and objectives (see 4.2.1b));

b) the position of the ISMS (see 4.2.1a));

c) the concept and controls in support of the ISMS;

d) a description of the risk assessment methodology (see 4.2.1c));

e) risk assessment report (see 4.2.1c) - 4.2.1g));

f) risk reduction plan (see 4.2.2b));

g) a documented concept necessary for the organization to effectively plan, operate and manage its information security processes and describe how the effectiveness of controls is measured (see 4.2.3c));

h) documents required by this International Standard (see 4.3.3); and

i) Statement of Applicability.

NOTE 1: For the purposes of this International Standard, the term “documented concept” means that the concept is implemented, documented, implemented and followed.

NOTE 2: The size of the ISMS documentation in different organizations can vary depending on:

The size of the organization and the type of its assets; and

The scale and complexity of the security requirements and the managed system.

NOTE 3: Documents and reports can be provided in any form.

4.3.2 Document control

The documents required by the ISMS need to be protected and regulated. It is necessary to approve the documentation procedure necessary to describe management actions for:

a) establishing the compliance of documents with certain standards prior to their publication;

b) checking and updating documents as necessary, re-approving documents;

c) ensuring that changes are consistent with the current state of revised documents;

d) ensuring the availability of important versions of valid documents;

e) ensuring that documents are understandable and legible;

f) making documents available to those who need them; as well as their transfer, storage and finally destruction in accordance with the procedures applied depending on their classification;

g) establishing the authenticity of documents from external sources;

h) controlling the distribution of documents;

i) preventing the unintended use of obsolete documents; and

j) applying an appropriate identification method to them if they are stored just in case.

4.3.3 Control of records

Records should be created and maintained to provide evidence of conformity and the effective operation of the ISMS. Records must be protected and verified. The ISMS should take into account any legal and regulatory requirements and contractual obligations. Records must be understandable, easily identifiable and retrievable. The controls necessary for the identification, storage, protection, recovery, retention, and destruction of records must be documented and implemented.

The records should include information about the implementation of the activities described in 4.2, and about all incidents and significant safety incidents related to the ISMS.

Examples of entries are guestbook, audit logs, and completed access authorization forms.