Abstract:
Nowadays, access to reliable information has become an essential factor leading to success in business. In this regard, adequate security of information and systems that process it is critical to the operation of all organizations. Therefore organizations must understand and improve the current status of their information security in order to ensure business continuity and increase rate of return on investments. Since, information security has a very important role in supporting the activities of the organization and for this reason; it is needed to have a standard or benchmark which controls governance over information security. Hence, this paper discusses some of Information Security Management System (ISMS) standards in order to determine their strengths and challenges. Then, based on most appropriate standards in the field, a method is proposed to allow information technology-related or based enterprises to implement their ISMS. This method helps identifying critical assets and related threats and vulnerabilities, assessing assets risks and providing necessary risk treatment plans. The proposed method makes it possible and structured to establish information security management system in IT related large-scale enterprises.
Machine summary:
The efficient implementation of the framework guarantees that a management team provides proper resources to support the processes that the organization needs in order to achieve appropriate information security (Standard B.
Thus the required activities for an ISMS are structured into four phases: • Plan: establish the ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization's overall policies and objectives • Do: implement and operate the ISMS policy, controls, processes and procedures.
The main steps to implement an ISMS based on ISO/IEC 27003, are listed below: 1- Obtaining management approval for initiating an ISMS project 2- Defining ISMS Scope, boundaries and ISMS policy 3- Conducting information security requirements analysis 4- Conducting risk assessment and planning risk treatment 5- Designing the ISMS Generally, In an ISMS, establishing the context, risk assessment, developing risk treatment plan and risk acceptance are all part of the “plan” phase.
In the “act” phase of the ISMS, any required action, including additional application of the information security risk management process, is performed (Hensel & Lemke-rust, 2010).
After approval of projects by security experts and managers, the required actions and controls were implemented by assets' groups according to selected risk treatment option.
Hence, this paper presents a method to identify the current status of information security proportional to the scale and characteristic of the enterprise and based on implementation guidance of ISO/IEC 27000 series standards.