Integration of Information Security in an existent Integrated Management System

[amelbel]

hello everyone, our society already has an IMS which whitch contains a Quality Management System, Environmental Management System and Health and safety management system all three listed in a statement which defines the objectif of the IMS. The society wants to be ISO 27001 certified and so they published a policy for the SMSI implementation and setting its objectives. What I want to know is must we create a new management system for the information security or just integrate it with the other MS. I want to know so I can figure out where to put the IS process in the support process or the management process. Also I want to know who is responsible of the audit is it the quality auditors or must it be security professionnels

 

[Sidney Vianna]

What I want to know is must we create a new management system for the information security or just integrate it with the other MS.

Welcome to The Cove. There is only ONE WAY to do this "integration of management system standards" right. The business processes have to be assessed and engineered/re-engineered to support conformance with the requirements of the multiple standards. Conformance to standards has to be done embedded in the way the company/organization runs. Outside of that is unsustainable and just window dressing.

Also I want to know who is responsible of the audit is it the quality auditors or must it be security professionnels

The internal auditors performing their jobs must be competent for the job. So, information security touches on many business processes that are outside of the typical quality system auditing scope. Chances are, "quality system" auditors would have to be developed to be made competent to assess your business processes against ISO 27001, 27005 and your own, internally developed, information security requirements.

Good luck.

 

[amelbel]

Thanks a lot for your fast reply and for your help. just to know so it's normal to define objectives of the ISMS in a separate document, we must just take it in concideration in the process map ? also the Information Security process does it have to be one of the management processes or a support process.

 

[Sidney Vianna]

also the Information Security process does it have to be one of the management processes or a support process.

Information security is NOT a process. It is a system, comprised of many processes and subprocesses, for a typical medium to large size organization.

If you have mapped your business processes, you should be able to identify which ones have a component that impacts quality, environment, health & safety, information security, etc...

That is the biggest challenge for people trying to "implement" Integrated Management Systems. They disregard the real process map. The business process map.

The following is in the ISO High Level Structure annex that forms the basis for all of the ISO Management System Standards:

5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the XXX management system by:

...snip....

— ensuring the integration of the XXX management system requirements into the organization’s business processes;

Until that is clearly understood, there is no real integration of sub systems. Just window dressing to pass audits and become certified.

 

[amelbel]

Thanks again and sorry for the late reply. I know that I seem new in this domain it's because that's the case. I was hired for the perpose of the ISO 27001 certification and althrough I am innexperimented I want to do things right. I don't want to redo the work later that's why I try my best to understand all these new concepts. I do realize that the security Information is not a process I'll tell how things are now and I count on you to correct anything that seems wrong to you.



the first thing that was done was creating a document named Information Security Policy stated there were: the obligation of the management and the objectifs of the IS policy.


Then was created a support process named Information security System there were stated the final objectif, pilote, entries and results document, procedures and metrics.


metrics were also stated in the objectives array but were restricted to one process the ISS process


the audit procedure and the process management procedure's contents didn't include any reference to the Information security.


I wanted so to create a management system for security but separated from the others or is it mandatory to integrate it with the others.


also, you're saying the SMSI is not a process so I must create other processes relative to the SMSI that helps it do his job and categorize them as support, operation or management processes am I right.




finally could you recommand me something to read or so to help me understand more what must be done





Thanks a lot