All organizations have huge information and data it needs to conduct its operations. This information / data may be in hard / soft media stored electronically, transmitted by mail or by electronic means. Organization’s internal information & data is constantly under threat from many sources. These sources could be malicious, internal, external, or accidental.
As the technology related to storage, retrieval & transmittal of information is getting advanced every now & then, information security is becoming an ever increasing and growing problem. It has become essential for organizations to establish a comprehensive Information Security Management System.
An Information Security Management System (ISMS) is a systematic approach to managing sensitive information of the organization so that it remains secure. It encompasses people, processes, and IT systems. Information security goes beyond installing the latest firewall or hiring a security agency. Comprehensive ISMS needs for each element to be effective, an overall approach and integration of different security initiatives. It is essential to establish a Policy and to ensure the integrity, confidentiality and availability of corporate & customer information.
IT industry has come of its age in last two decades and needed an information management standard at the international level. A British national standard BS 7799-2 : 2002 std. was launched in 2002 and was used by most of the industry.
In he year 2005, ISO launched ISO 27001: 2005 , an international standard so that organizations could manage their information security system. It is the specification for an Information Security Management System (ISMS). It establishes a system to identify risks to an ISMS and defines the requirements of IFMS. This standard is a replacement of BS 7799-2 : 2002 std.
Organization needs to plan ISMS, undertake a review of all potential security breaches which not only relate to IT systems, but are extended to all sensitive information within your organization. Develop a security Policy to demonstrate support and commitment of top management and develop procedure to support the security policy.
This will cover a range of areas including asset clarification and control, personal security, physical and environmental security and business continuity management.
In the words of the standard itself, it is intended to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system. It offers a process driven approach, known as PDCA : plan-do-act-check. By utilizing continual improvement, the standard helps establish and maintain an effective information management system. ISO 27001:2005 is applicable to any manufacturing and service organization and provides a disciplined approach to identify and control risks to information security.