Appropriate Processes for Information Security Management System (ISMS)

G

Gourmet

Hi,

My company has already an ISO9001 & 14001 certificate (only on specific part of its perimeter).
I'm managing the ISO 27001 part which, at this time, is not scheduled to be certified.
Thanks to the QMS (which is, in fact, an QSEMS), Business and environnement processes are now well defined.
I'm wondering now how define the processes that'll be managed under the ISO 27001 umbrella.

I've already identified the following processes :
- incident management,
- risk assessement,
- risk treatment,
- measuring management as well as
- the ISMS itself of course.

But what else ?
- Vulnerabilities management?
- Rights and authorization management?
- Business continuity management?
- asset management?
- business continuity management?


Which framework should I follow in order to establish my list of processes ?
The ISO 27002 (or the ISO 27001 annex A )? Another one?
Is it unuseful to build such a list?

I have another question about process that already exist though ISO9001 .
Knowing that such a process, managing the documentation for example, already exists in the ISO 9001 perimeter (but with a quality scope not a security one) what should I do in the ISMS scope?

Should I integrate my needs into the ISO 9001 documentation process (in an integrated management system perspective) or make my own process?
Same question for the :
- measuring management process above,
- management,
- legal, regulatory risk management,
- training & awareness management.

Is there some guide and/or example somewhere about rules to follow?
Thanks.

db
 
Last edited by a moderator:

dsheaffe

Involved In Discussions
Hi,

I will preface my comments with the fact that I not a ISMS expert - but as someone who has experience in implementing ISO9001 systems - and have now been tasked with implementing an ISMS.

Starting with your second question - I am certainly planning on updating existing procedures (eg, document control, internal audits, etc) to ensure that they are applicable for both quality and information security. The last thing that I want to have is one procedure on how we schedule/conduct/report internal audits for quality and a seperate one for information security. With all of these things (and it sounds like you are already doing it) we want to have a single "management" system that covers the lot.

For your first question, hopefully you will get direction from someone more experienced than me - but our approach is to identify all the relevant assets - and then do our risk assessment, which will then help us to identify what controls we need to put in place. Noting that the things that you have mentioned are all probably things that will be required in some fashion.
 
G

Gourmet

Yes, dsheaffe. Concerning the second question it's what I expected.
I imagine that, in the case of a certification the auditor(s) won't accept to read 2 or 3 times the same document with only a different header.

About the first one, I 'm currently reading with new eyes the well known document named "Aligning CobiT® 4.1, ITIL V3 and ISOIEC 27002 for Business Benefit" that has been sleeping for a few months now.
But, if someone or a few could give me a few examples of processes created in the context of an ISMS and managed by it, I would appreciate.
Thanks again,
db
 

AndyN

Moved On
Yes, dsheaffe. Concerning the second question it's what I expected.
I imagine that, in the case of a certification the auditor(s) won't accept to read 2 or 3 times the same document with only a different header.

Alors, Mr Le Gourmet! Comment ca marche? Bien, j'espere.

This shouldn't be too much of a problem! A CB auditor may make a comment about it, however, it's unlikely that the same auditor who audits for ISO 9001 will also audit the ISMS. It doesn't make sense to duplicate the common processes (sections 4, 5, 6, 7 & 8 of ISO 27K) where they are substantially similar to the ISO 9K requirements.

I too am not expert in ISMS, but this much I have been able to understand from colleagues:

The key section in defining the controls applicable is, of course, the 'Annex A' section. A complete review of these - as applicable to the business you operate - is appropriate, to determine what policies, procedures/processes and responsibilities etc need to be established as part of the ISMS, under section 4. It sounds as if you have already done some of the work, but there are, as you know, some 130 issues to at least review for applicability. A 'Gap Assessment' of any existing ISMS your organization operates is also helpful in case there are some 'informal' systems/controls in place you are not aware of. These may become the basis, through formalization/approval, part of your ISMS.

I will also pass on your questions to another colleague for their review/reply...
 
G

Gourmet

:thanx:
Alors, Mr Le Gourmet! Comment ca marche? Bien, j'espere.
Ca roule ! :)
Merci.
I noticed you were thanked more than the number of your posts. You thanked yourself? :notme:

This shouldn't be too much of a problem! A CB auditor may make a comment about it, however, it's unlikely that the same auditor who audits for ISO 9001 will also audit the ISMS. It doesn't make sense to duplicate the common processes (sections 4, 5, 6, 7 & 8 of ISO 27K) where they are substantially similar to the ISO 9K requirements.

I too am not expert in ISMS, but this much I have been able to understand from colleagues:

The key section in defining the controls applicable is, of course, the 'Annex A' section. A complete review of these - as applicable to the business you operate - is appropriate, to determine what policies, procedures/processes and responsibilities etc need to be established as part of the ISMS, under section 4. It sounds as if you have already done some of the work, but there are, as you know, some 130 issues to at least review for applicability. A 'Gap Assessment' of any existing ISMS your organization operates is also helpful in case there are some 'informal' systems/controls in place you are not aware of. These may become the basis, through formalization/approval, part of your ISMS.

I will also pass on your questions to another colleague for their review/reply...

In fact, currently, all the policies, records and directives have been categorized according to ISO 27002.
The problem is not there: that's very easy to fill up documents once you know what to write into them.

The problem is the ISMS documentation policy was written before I take the job (and was the only one).
And this policy states that all the ISMS document names (policies, records, etc) MUST follow the organisation of processes.
Why? Because the QMS follows this rule and we want to step forward an integrated MS.
And despite some obvious processes like those I talked about (incident, training and awareness, risk analysis, risk treatment, check) I have no idea for the moment which processes to create in order to find a place for sections, for example,
6.2 (third parties),
7 (asset management),
8 (human resources security),
9 (physical secrutiy),
10.5 (backup),
10.8 (information exchange),
10.9 (electronic trading),
10.10.6 (clock sync),
11 (access control), etc.

A document is therefore at the crossing of a double-entry table: ISO 27002 and a list of processes that are themselves submitted to a PDCA scheme.

I'm considering looking for Cobit and/or ITIL processes but is it A or THE correct behaviour?

db
 
Last edited by a moderator:

AndyN

Moved On
Here's the comments arising from my colleague's review:-
The ISMS is a very set process. Setting of scope and boundaries, Asset Identification (hardware, software, data, people, paper, etc all can be assets), Risk assessment, Risk Treatments based on the Risk assessment. The risk treatments should reflect those controls in annex A that are applicable to your business plus any additional controls you deem appropriate. This all leads to a Statement of Applicability, and development/implementation of an ISMS policy.

The biggest decision to make right at the beginning is to set a scope and the system boundaries. This will then dictate the complexity of all the other requirements.

You mention that you are not going to seek certification, really once you implement the above you have expended 90% of the work effort in implementing an ISMS.

Which framework should I follow in order to establish my list of processes ?
The ISO 27002 (or the ISO 27001 annex A )? Another one? The ISO 27002 is really the guidance behind ISO 27001. I believe that in excess of 100 pages of ISO 27002 represents the details behind each of the controls in Annex A
Is it unuseful to build such a list?

I have another question about process that already exist though ISO9001 .
Knowing that such a process, managing the documentation for example, already exists in the ISO 9001 perimeter (but with a quality scope not a security one) what should I do in the ISMS scope?
Control of Document and Records is a fine example of a QMS process that may be utilized in ISO 27001 development. My only caution is that if used, you will need the review the QMS process and alter it so that it encompasses both standards.

Should I integrate my needs into the ISO 9001 documentation process (in an integrated management system perspective) or make my own process?
Same question for the :
- measuring management process above,
- management,
- legal, regulatory risk management,
- training & awareness management.

For most of our clients who are implementing the standard in order to get certified, we have them create a separate ISMS as the scope if typically different from their QMS. As the ISMS matures, we integrate additional processes as continual improvement.

Is there some guide and/or example somewhere about rules to follow? I highly suggest an ISO 27001 implementation course. This should get you a lot of answers to your questions.

Does this help?
 
J

John Martinez

I am an ISMS auditor. ISO 27001 is a process based audit. ISO 27001 is also compatible with ISO 9001. If you already have your processes for QMS, all that is needed is determine what processes are necessary for the ISMS.

It is hard to determine your specific additional processes without seeing your system.

ISO 27001 has some that may be considered processes such as Risk Assessment.

The Annex are the minimum controls that you apply to the risk identified to reduce the risk, and not necessarily processes in and of themselves.

One major mistake organizations make is to equate assets with information technology assets only. Look at the definition of "asset" in ISO 27001. Information comes in more forms than electronic.

Some other additional processes you MAY have are:
Legal, IT, Security (gates, guns, guards).
 

john.b

Involved In Discussions
Sorry for joining late, I've just started looking around here. To echo other posters, I'm no security expert but I have worked with our existing 27001 system.

The advice to take an implementation class is good (or even auditor class; similar material with a different perspective). The standard itself is the best guidance for what processes you need to include and from there functional scope related to your own company extends that. There is a potential to implement a crazy number of policies, procedures, work instructions, and other functional measures given the 133 control requirements and other main standard body content, especially the output that would come from a comprehensive risk assessment. As with any ISO system implementation going it alone without consultant guidance might be possible but the results might not be great, and with a bad consultant it's conceivable they'd be no better (seems a stretch to say worse).

As with many ISO standards the code of practice and the standard itself (27002 versus 27001) cover roughly the same material so using either one would be sufficient. But the curiousity would get to you; what else is in the other one? The code of practice documents are longer and therefore contain a little more content but the standard is nice because it says what you need to do, what you'll be audited to (lots of "shalls"). In this case there is one good reference website available for that standard (better luck than with IT service management). I can't post the link because I'm new (although I'm not selling anything, really, I'm just a practitioner) so Google ISO 27001 security and look around for yourself.

As with any ISO system implementation or related project getting clear on goals, company commitment, roles, and related factors first is critical to actually acheiving the principal implied aim (in this case, hopefully, improving information security, although there must be other drivers or the functional implementation alone would be enough without certification as a system). Needless to say there is a very substantial technical dimension to this subject, perhaps even more so than for most other standards, although that's always true in some sense.
 
Top Bottom