The Cove Business Standards Discussion Forums
Integration of Information Security in an existent Integrated Management System
Please read this thread...
Software update
Integration of Information Security in an existent Integrated Management System
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > >
Forum Username

Elsmar Cove Forum Visitor Notice(s)

Wooden Line

Integration of Information Security in an existent Integrated Management System

Monitor the Elsmar Forum
Courtesy Quick Links


Links Elsmar Cove visitors will find useful in the quest for knowledge and support:

Jennifer Kirley's
Conway Business Services


Howard's
International Quality Services


Marcelo Antunes'
SQR Consulting, and
Medical Devices Expert Forum


Bob Doering
Bob Doering's Blogs and,
Correct SPC - Precision Machining


Ajit Basrur
Claritas Consulting, LLC



International Standards Bodies - World Wide Standards Bodies

AIAG - Automotive Industry Action Group

ASQ - American Society for Quality

International Organization for Standardization - ISO Standards and Information

NIST's Engineering Statistics Handbook

IRCA - International Register of Certified Auditors

SAE - Society of Automotive Engineers

Quality Digest

IEST - Institute of Environmental Sciences and Technology


Some Related Topic Tags
information security, isms (information security management system), iso 27001 - information security management system (isms), management system and related processes, management systems integration
Reply
 
Thread Tools Search this Thread Rate Thread Content Display Modes
  Post Number #1  
Old 23rd July 2018, 03:46 PM
amelbel

 
 
Total Posts: 3
Please Help! Integration of Information Security in an existent Integrated Management System

hello everyone, our society already has an IMS which whitch contains a Quality Management System, Environmental Management System and Health and safety management system all three listed in a statement which defines the objectif of the IMS. The society wants to be ISO 27001 certified and so they published a policy for the SMSI implementation and setting its objectives. What I want to know is must we create a new management system for the information security or just integrate it with the other MS. I want to know so I can figure out where to put the IS process in the support process or the management process. Also I want to know who is responsible of the audit is it the quality auditors or must it be security professionnels

Sponsored Links
  Post Number #2  
Old 23rd July 2018, 04:13 PM
Sidney Vianna's Avatar
Sidney Vianna

 
 
Total Posts: 9,250
re: Integration of Information Security in an existent Integrated Management System

Quote:
In Reply to Parent Post by amelbel View Post

What I want to know is must we create a new management system for the information security or just integrate it with the other MS.
Welcome to The Cove. There is only ONE WAY to do this "integration of management system standards" right. The business processes have to be assessed and engineered/re-engineered to support conformance with the requirements of the multiple standards. Conformance to standards has to be done embedded in the way the company/organization runs. Outside of that is unsustainable and just window dressing.
Quote:
In Reply to Parent Post by amelbel View Post

Also I want to know who is responsible of the audit is it the quality auditors or must it be security professionnels
The internal auditors performing their jobs must be competent for the job. So, information security touches on many business processes that are outside of the typical quality system auditing scope. Chances are, "quality system" auditors would have to be developed to be made competent to assess your business processes against ISO 27001, 27005 and your own, internally developed, information security requirements.

Good luck.
  Post Number #3  
Old 23rd July 2018, 05:12 PM
amelbel

 
 
Total Posts: 3
re: Integration of Information Security in an existent Integrated Management System

Thanks a lot for your fast reply and for your help. just to know so it's normal to define objectives of the ISMS in a separate document, we must just take it in concideration in the process map ? also the Information Security process does it have to be one of the management processes or a support process.
  Post Number #4  
Old 23rd July 2018, 06:17 PM
Sidney Vianna's Avatar
Sidney Vianna

 
 
Total Posts: 9,250
re: Integration of Information Security in an existent Integrated Management System

Quote:
In Reply to Parent Post by amelbel View Post

also the Information Security process does it have to be one of the management processes or a support process.
Information security is NOT a process. It is a system, comprised of many processes and subprocesses, for a typical medium to large size organization.

If you have mapped your business processes, you should be able to identify which ones have a component that impacts quality, environment, health & safety, information security, etc...

That is the biggest challenge for people trying to "implement" Integrated Management Systems. They disregard the real process map. The business process map.

The following is in the ISO High Level Structure annex that forms the basis for all of the ISO Management System Standards:

Quote:
5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the XXX management system by:

...snip....

— ensuring the integration of the XXX management system requirements into the organization’s business processes;
Until that is clearly understood, there is no real integration of sub systems. Just window dressing to pass audits and become certified.

Last edited by Sidney Vianna; 24th July 2018 at 04:49 PM.
Thanks to Sidney Vianna for your informative Post and/or Attachment!
  Post Number #5  
Old 25th July 2018, 03:49 PM
amelbel

 
 
Total Posts: 3
Re: Integration of Information Security in an existent Integrated Management System

Thanks again and sorry for the late reply. I know that I seem new in this domain it's because that's the case. I was hired for the perpose of the ISO 27001 certification and althrough I am innexperimented I want to do things right. I don't want to redo the work later that's why I try my best to understand all these new concepts. I do realize that the security Information is not a process I'll tell how things are now and I count on you to correct anything that seems wrong to you.



the first thing that was done was creating a document named Information Security Policy stated there were: the obligation of the management and the objectifs of the IS policy.


Then was created a support process named Information security System there were stated the final objectif, pilote, entries and results document, procedures and metrics.


metrics were also stated in the objectives array but were restricted to one process the ISS process


the audit procedure and the process management procedure's contents didn't include any reference to the Information security.


I wanted so to create a management system for security but separated from the others or is it mandatory to integrate it with the others.


also, you're saying the SMSI is not a process so I must create other processes relative to the SMSI that helps it do his job and categorize them as support, operation or management processes am I right.




finally could you recommand me something to read or so to help me understand more what must be done





Thanks a lot
Reply

Lower Navigation Bar
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > >

Bookmarks



Visitors Currently Viewing this Thread: 1 (0 Registered Visitors (Members) and 1 Unregistered Guest Visitors)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Forum Search
Display Modes Rate Thread Content
Rate Thread Content:

Forum Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Emoticons are On
[IMG] code is On
HTML code is Off


Similar Discussion Threads
Discussion Thread Title Thread Starter Forum Replies Last Post or Poll Vote
Sector specific Information Security ISO Management System Standards Sidney Vianna IEC 27001 - Information Security Management Systems (ISMS) 1 19th August 2016 03:40 PM
Business Case for ISMS (Information Security Management System) mpour IEC 27001 - Information Security Management Systems (ISMS) 1 24th December 2012 03:36 AM
ISMS (Information Security Management System) Policy vs. Information Security Policy AnandR IEC 27001 - Information Security Management Systems (ISMS) 1 29th May 2012 05:18 AM
Appropriate Processes for Information Security Management System (ISMS) Gourmet IEC 27001 - Information Security Management Systems (ISMS) 7 8th February 2011 02:05 AM



The time now is 12:43 AM. All times are GMT -4.
Your time zone can be changed in your UserCP --> Options.



Misc. Internal Links


NOTE: This forum uses "Cookies"