CIS 608 Logo

CIS 608 Logo
CIS 608 - Information Security Management

Sunday, October 16, 2011

Post 037 - CIS 608

Creating an Effective Information Security Management System (ISMS) Using ISO 27001

The diagram above shows the steps required to implement an ISO 27001-based ISMS

This week, we studied discussed Information Security management frameworks. Since I worked on an ISO 27001-based ISMS implementation project between January 2011 and July 2011 I personally found it especially interesting. Despite the fact that ISO 27001 is an internationally recognized standard for Risk Management and Information Security Management, I was amazed that more classmates were unfamiliar with the ISO 27001 standard. Maybe it's just because this Information Security Management Standard is better known and understood in places like India, Japan, Korea, the U.K.

Many people often look at the list of Domains, Control Objectives, and Controls in ISO 27001 Annex A and think that these topics are the only things that need to be address. But it is essential to remember that the implementation of an ISMS is as much Risk Management driven and Information Security Policy driven as much as it is about the establishment of Information Security Controls. It is also important to measure it so the effectiveness of the policies and other controls can be determined and also so the entire ISMS can continue to be improved under the Plan - Do - Check - Act process so it be under continuous process improvement.

Remember, if you are doing one of these ISO 27001 implementation projects, don't forget to do the Risk Management effort.

For more information about ISO 27001, click here.

Best regards,

William Favre Slater, III

MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
Chicago, IL
United States of America

1 comment: