ISMS Essentials: Design, Build and Maintain the ISMS
An Information Security Management System (ISMS) delivers a systematic approach to ensure information security and meaningful data protection across existing and new assets.
This post looks at the 3 phases involved and will help you explain the benefits of an ISMS to those outside the direct security team.
An effective ISMS – Why you need one
Whether in compliance with ISO27001, or as a general approach to information security, a defined ISMS helps the organisation to better understand its information assets, security vulnerabilities and the evolving risk profile. The concept of management systems is not unique to security. Areas like quality and service management often follow similar approaches.
Without an ISMS, the chances of detecting and recovering from breaches and meeting any third party scrutiny of your security efforts are slim. You may have controls and systems in place, but in the absence of a management system it is difficult to establish or prove their effectiveness.
The ability to detect cyber security attacks and insider threats is becoming more important here in the UK and around the world as services are increasingly outsourced and regulatory pressures grow. Your organisation also can’t ignore expectations regarding the secure collection and use of information, particularly as EU GDPR takes hold. These GDPR posts will help:
99 InfoSec problems – The ISMS shouldn’t be one
Digital services and outsourcing drive the growing digital economy, technology adoption and are fuelling the rise of technologies such as artificial intelligence, the Internet of Things, Cloud computing and big data.
Outsourcing IT service delivery makes sense for any organisation looking to focus on its core business, improve customer services, achieve commercial advantage, or to ensure that vital public or business service functions are delivered despite budgetary pressures.
Productivity improvements such as remote working and the potential savings are welcome however, the associated increase in data, processing events and a potential lack of security visibility, all lead to familiar information security challenges at new scales.
The challenge of Productivity versus Security
Where digital services adoption is promoted by those with productivity as their primary objective further complexity can arise. This risks information security being left as a secondary consideration and sometimes a barrier to either scrape over or even avoid. It is a perennial challenge.
Where an ISMS is not applied the chances are that information vulnerabilities will be introduced with new services that cannot be detected or monitored. Point solutions and inconsistent risk decisions mean that security is ineffective, inefficient and inconsistent.
However, where a sound ISMS is established and maintained, it is more likely that new services can be rapidly and securely absorbed alongside existing assets, as well as being operationally successful. Common approaches to risks and controls and the integration of new systems into a wider management framework lead to reduced cost and more conformant service delivery.
As an example, the importance and benefits of vulnerability monitoring are covered in our infographic. Download it and see if you can use the content in your projects:
ISMS Design Phase and the PDCA cycle
The ISMS design phase requires the setting of meaningful objectives, identification of assets and solutions to risk. Inaccuracy or cutting corners at this stage will jeopardise any subsequent activity.
For an ISMS design, the Plan Do Check Act (PCDA) cycle is a common method for continual improvement and business process management that you are most likely to see. PDCA is not exclusively an information security or data protection model. It is just as relevant to product development, project management and “box making” as it is to cyber security.
The elements of PDCA are:
- Plan – Identify the problem, requirements, threats and control objectives
- Do – Deploy and test solutions, processes and technologies to reduce risk and avoid operational failure
- Check – The effectiveness of the solutions by examining the output and validating their operation
- Act – On the results of any outputs or failures to improve effectiveness and efficiency and to achieve the best solution that meets your objectives and enables business.
ISMS Design – Keep objectives real and focus on risk
It may sound obvious, but ISMS objectives must include mitigating the risks associated with the collection, retention, access and use of information held within both physical and logical assets. In the initial ISMS enthusiasm, it is easy for ISMS objectives to become confused with wider IT procurement strategies rather than focussing on risk control.
This danger is increased where stakeholders from the wider business (e.g. Information Asset Owners) are engaged in the design phase. It is correct to engage other stakeholders but “mission creep” can add a level of complexity that risks ISMS failure (and hence information or data breaches) further down the line.
For most organisations their ISMS objectives are likely to be focused on meeting regulatory requirements such as:
- Payment Card Industry Data Security Standard (PCI-DSS)
- Personal data standards such as EU GDPR
- Best practice compliance including the UK NCSC 10 Steps
- Or the Australian Signals Directorate and the ASD Essential Eight Security Controls
ISMS Design – Identify the important assets
Information asset identification is about understanding what information is held, where it is and the risks associated with it. Clear indications of information asset purpose(s), operational interest and business ownership should be recorded.
Those assets that directly support operational business should be prioritised over the wealth of other information assets that are likely to exist. Prioritisation that supports business helps others to “buy in” to the ISMS process.
To avoid stakeholders defaulting to just “applications and databases” as assets, consider who within the organisation would be disadvantaged should information (or just the access to it) be lost. Then consider how the same information asset is accessed, used and exchanged.
An information asset register is the easiest way to record your assets. Asset registers can be something of an art and this link is a simple example from the UK Home Office.
Whilst clearly not as exhaustive or detailed as a true asset register (many things are missing including the actual calculation of information risk), this example gives a clear indication of asset ownership, description and purpose.
ISMS Design – Risk assessment and treatment
The objective is to consider the prioritised information assets and any threats that are posed to them. Another objective is to consider control measures to limit the chance of those threats developing into real security incidents and compromise.
Control measure considerations should include all the possibilities of people, process and technology, not forgetting that a simple physical security measure might also reduce risk. ISO27001:2013 specifies 114 controls in 14 groups covering policy, access control and even supplier relationships.
Simple and meaningful risk assessment is key. Care should be taken that the risk assessment methodology and measurement (usually a calculated score or scale) are agreed in advance and applied consistently.
This can be surprisingly challenging to achieve and should not be underestimated. Defining some agreed levels of business impact or financial cost, as well as understanding the regulatory challenges is one side of this – then being able to rate risks in terms of their likelihood is a second dimension.
ISMS Design – Beware Doomsday and Disaster!
Another danger is trying to factor “black swans” into risk assessment discussions, becoming overly concerned with threats that are undoubtedly high impact but ultimately unrealistic or highly unlikely.
Examples of “risk assessment over-thinking” include the inevitable consideration of doomsday scenarios such as a terrorist attack on a data centre. What about the potentially more likely but equally damaging scenarios of electrical fire, power failure, or pipes bursting and flooding the building?
In all these cases, it is the “unavailability of the data centre” that needs focus as the consequence to be avoided, rather than the multitude of possible scenarios that might lead to the event in the first place.
Similarly, attackers that are operated or supported by foreign governments are usually considered highly capable and well financed adversaries. They are a cause for concern for those working on the ISMS, particularly in the public, finance and CNI sectors.
Any risk assessment discussion or briefing must be tempered with realistic assessment of likelihood. What does the organisation do or possess that would legitimately interest a foreign government? For an intelligence agency, this may very well be the greatest threat. However, a local authority, school or hospital might be at more risk of attack from insiders, organised crime, opportunist thefts or ransomware, so this is where the security efforts should be focused to resolve relevant vulnerabilities.
ISMS Design – Statement of Applicability
For those with more extensive information assets, significant risk exposure, or seeking formal compliance with ISO27001, the treatment plan should also include the controls and measures that were considered but not applied. This link takes you to the website of the International Organisation for Standardization who own and manage ISO27001.
This best practice approach helps with ISMS transparency and future proofing when key ISMS personnel move on or audit is required. Controls that were not applied should be included within the “Statement of Applicability” (SoA). The SoA will prove useful when it comes to briefing management as to how the ISMS has been constructed and why controls have been considered but discounted.
ISMS Implementation Phase
This is where the work really begins, the implementation of any process, procedural, physical and technology controls that are required to mitigate identified risks. Not every control needs to be technical or expensive, far from it. Do not fall into the trap of thinking that “more money for security equals more security”.
For any control – technology, people or process – work out how to measure effectiveness, tie together the relevant stakeholders and relevant communications. For personnel based controls, this might include the training department, HR, vetting office, supervisors etc.
If the relevant stakeholders are insufficiently aware of what successful operation should look like or are not bought into the wider ISMS concept, they may be reluctant to participate. This may leave you in the slightly uncomfortable position of having to call on senior influence to effect change and provide direction.
ISMS Implementation – InfoSec awareness
ISMS implementation must be accompanied by general awareness, briefings and sometimes even training. Avoid bombarding users with considerations of ISO27001 or the detail of the organisation’s approach to security, but they do need an appreciation as to the importance of information security and data protection. Personnel should at least be able to recognise and report an information security incident and feel enabled as part of the solution, not the problem.
This “buy in” and understanding is particularly important where vulnerability control requires the removal of permissions from those personnel who no longer (or never did) need them. Managing user privileges is a common and cost effective control to reduce risk but it might meet operational resistance.
It’s often necessary to consider and balance the risk of leaving personnel with permissions that they do not need, versus the practicality and efficiency of granting permissions when they do. Ultimately risk owners need to be empowered to decide even where responsibilities are delegated.
ISMS Maintenance Phase
In the PDCA cycle this is where the focus moves to “check” and “act”. To maintain the ISMS effectiveness requires security controls that have measurable outputs. Implementation of controls with no output as a “just in case” approach to information security are often wasteful and expensive.
Taking the information assets, as well as the way that they are hosted (e.g. networks) and accessed (e.g. applications, file shares, databases etc.), ISMS stakeholders should reasonably expect to be able to identify:
- Who has access
- How many accesses have occurred
- How many security incidents have occurred
- How suspected incidents were resolved or loss limited.
ISMS maintenance requires being able to audit activity as a minimum. Better still, being able to monitor assets, access and activities as they occur offers real opportunity to ensure that systems, services, users and data are operating as you expect and as required, and are promptly fixed when they do not.
ISMS Maintenance – Managing non conformities
The likelihood is that the ISMS will have some flaws, certainly initially, and that controls won’t work perfectly when they are first set up. Common constraints include underestimating the implementation time required, flawed assumptions regarding the strength or effectiveness of technical controls, or resistance from users or managers to adoption or embedding.
However, once a workable and implemented set of controls has been achieved, monitoring, measurability and visibility are critical as they provide the necessary evidence to inform change, as well as all-important reporting to stakeholders.
Having the information available to correct faults at the earliest opportunity and limit opportunities for loss are essential and will help compliance with regulations and standards such as EU GDPR and ISO27001.
Visibility, monitoring and measurement of implemented controls identifies ISMS non-conformities. Check out our infographic and make use of the content in your work:
Major or minor ISMS non-conformities
Nonconformities (areas where the ISMS falls short or audit findings) can be categorised as either “major” or “minor”. More generally this means that an ISMS control measure is not performing as required or meeting desired standards. These standards can be ones you have set yourself, have been set by a regulatory body or by a third party (e.g. a data processor from another organisation).
The severity of nonconformity depends on the wider risk profile and appetite of the organisation and risk owner and often the presence of compensating controls. For example, an Information Asset Owner and risk owner may tolerate a few users of a database who have not been formally trained as long as they are known, are planned to be trained and can be monitored, and there are controls on paper outputs and access etc. This is potentially a minor nonconformity with a short-term risk that can be accepted due to an imminent fix.
Should it be discovered that the same database is routinely accessed by many users who are not trained and that access rights are fairly open; with no auditing or monitoring being performed, then depending on the sensitivity of the information assets, this is likely to be a major nonconformity that requires addressing. How would the asset and risk owner know if information was being lost and what other ways is misuse being prevented?
ISMS Design, Build and Maintenance “cycle”
This post hardly scratches the surface of the phases required for a successful ISMS implementation. Undertaking an ISMS build for the sake of it, or as an attempt to pass a third party check from a partner organisation, accreditor or auditor will often be fairly transparent.
An effective ISMS requires the investment of time and resources who understand and care about information and its relevance to operational business.
Control measures do not necessarily have to cost money. The review and amendment of existing technical controls or improvement of a business process might be enough to achieve the risk reduction required.
To assist in planning your ISMS, follow these top tips:
- Ensure that objectives have a clear focus on risks and enabling the business.
- Avoid complexity and confusion with the wider IT strategy.
- Identify and prioritise information assets that are critical to business – start with those.
- Agree how you’ll assess and measure risks before you start and do it consistently.
- Do not get distracted by unlikely threats or “doomsday” scenarios.
- Make sure you can monitor the effectiveness of the controls you implement.
- Be prepared to accept some risks to support operational business.