What is a modern information security management system. Modern standards in the field of information security using the concept of risk management Information security management system

Shahalov Igor Yurievich

On the issue of integrating quality management systems and information security

Abstract: The international standards ISO 27001 and ISO 9001 are considered. The analysis of the similarities and differences between the quality management system and the information security management system is carried out. The possibility of integrating the quality management system and the information security management system is shown. The main stages of construction and implementation of an integrated information security management system are given. The advantages of the integrated approach are shown.

Key words: information security management systems, integrated management systems, ISMS, QMS, ISO 27001.

Natalia Olegovna

Introduction

V modern world with the advent of common and convenient technical devices the problem of information security has emerged quite sharply. Along with the release of quality products or the provision of services to enterprises and organizations, it is important to keep the necessary information secret from competitors in order to remain in a favorable position in the market. In the competitive struggle, various actions aimed at obtaining (obtaining, acquiring) confidential information are widespread. different ways, up to direct industrial espionage using modern technical means of intelligence.

Thus, organizations that adhere to the world's best practices, containing requirements, guidelines for the implementation of business process management systems, are becoming leaders in the market. The best standards for the design, implementation, monitoring and improvement of such systems are documents from the International Organization for Standardization (ISO). Particular attention should be paid to the standards of the ISO 900x and ISO 2700x series, which collect the best practices for the implementation of a quality management system (QMS) and an information security management system (ISMS).

The quality management system, implemented in accordance with the requirements of the ISO 9001 standard, has long been recognized as an integral attribute of a successful company that produces high-quality products or provides high-class services. Today, the availability of a certificate of conformity is both an effective marketing solution and a mechanism for controlling production processes. QMS audit is a well-developed area of business.

The dependence of the company's successful activities on corporate system information protection. This is due to the increase in the volume of vital data processed in the corporate information system. Information systems are becoming more complex, and the number of vulnerabilities found in them is also growing. ISMS audit allows assessing the current state of security of the corporate information system,

assess and predict risks, manage their impact on the company's business processes.

Since the ISO 9001 standard has long taken the leading position in the number of certificates in the world, and the ISO 27001 standard shows a tendency towards an increase in the certification of the information security management system, it is advisable to consider the possible interaction and integration of the QMS and the ISMS.

Integration of standards

At first glance, quality management and information security are completely different areas. However, in practice, they are closely related and form one whole (Figure 1). Customer satisfaction, which is an objective quality goal, every year more and more depends on the availability of information technology and on data security, for the maintenance of which the ISO 27001 standard is used. On the other hand, the ISO 9001 standard exactly matches the corporate goals of the organization, helping to ensure security. Thanks to an integrated approach, ISO 27001 can be effectively integrated into existing QMS or implemented together with QMS.

(ISO 27001) and IT service management (ISO 20000) have a similar structure and process approach. This creates a synergy that pays off: in practice, an integrated management system for ongoing operations saves 20 to 30 percent of the total cost of system optimization, checks and revisions.

Information security and quality management standards aim at continual improvement in accordance with the Plan-Do-Check-Act (PDCA) model known as the Deming Cycle (see Figure 2). In addition, they are similar in structure, as shown in the correspondence table in Annex C of ISO 27001. Both standards define the process approach, scope, system and documentation requirements, and administrative responsibility. In both cases, the structure ends with an internal audit, management review and system improvement. In this, both systems interact. For example, ISO 9001 requires the management of nonconforming products. Likewise, the ISO 27001 standard has an incident management requirement for resolving failures.

Rice. 1. Spheres of interaction and similarity of the QMS and ISMS

Rice. 2. Deming cycle

More than 27,200 organizations of various industries in more than 100 countries of the world are certified for compliance with ISO 9001: 2008 for quality management. Depending on the market and legal requirements, many organizations are increasingly forced to deal with information security. In this regard, the integration of the control system offers real possibilities. A complex approach also interesting for companies that have not used any management process until now. ISO standards for quality (ISO 9001), environmental protection (ISO 14000), information security

The differences between the standards are useful in complementing each other, which decisively contributes to increased business success. For example, ISO 9001 requires the definition of corporate goals, customer focus and measurability, to what extent goals and objectives are met. These are three issues that are not at the center of ISO 27001's interests. In turn, this standard prioritizes risk management to maintain business continuity and offers detailed assistance in implementing an ISMS. Compared

with this, ISO 9001 is more of a theoretical standard.

ISO 27001 - a standard not only for IT

Many people think that the ISO 27001 standard is only for IT processes, but in reality this is not the case. The fundamental point for the implementation of the ISO 27001 SM & B standard is the definition of assets.

■ "lilltpHiimiir-J." IJilllF.lEL ^ OIU.IC.

r t ^ tsdkpinizh ts netvk ^ tnsslsc tEp.tna.

»■ irreiiKinfundu« GcTMHiiociv

* KYADROMK:

■ JI! L "|" l "L> 4_l] Jil" HIIL, k

"D | KtttcCcU H" patitU.

"Jimii 14: ii | vju7JIIIM.

Rice. 3. Types of assets

An asset is understood as everything that is of value to the company (Figure 3). That is, an asset can be: human resources, infrastructure, tools, equipment, communications, services and any other assets, including services for the supply of purchased products. Based on the processes, the company determines which assets it has and which assets are involved in critical processes, and evaluates the value of the assets. And only after that the risk assessment is made for all valuable assets. Thus, the ISMS is intended not only for digital information that is processed in automated system... For example, some of the most critical processes involve

Preparation

event plans

2 Check H: i match

with the storage of hard copies of information, which is also covered by ISO 27001. An ISMS covers all the ways in which important information can be stored in your company, from how your emails protected, ending with where the personal files of employees are stored in the building.

Therefore, it is a huge misconception that since the standard is aimed at building an information security management system, then this can only apply to data stored in a computer. Even in our digital age, a lot of information is still reflected on paper, which must also be reliably protected.

ISO 9001 cannot meet the company's information security needs, since it is narrowly focused on product quality. Therefore, it is very important to implement ISO 27001 in the company. At first glance, it may seem to a specialist that both standards are very general and do not have specificity. However, this is not the case: the ISO 27001 standard describes almost every step of implementing and controlling the functioning of an ISMS (Figure 4).

The main stages of building an information security management system

The main stages of building an ISMS are illustrated in Figure 4. Let's consider them in more detail.

Stage 1. Preparation of action plans. At this stage, specialists collect organizational and administrative documents (ORD) and other working materials,

3 A type normal II ORD

4 Analysis ii risk assessments 11B

Implementation

5 RyazraOoghya and<>RaeryaOopv complex & 00 \ * ieiitii:

radiation plans ■ -> standards -> events -> CfftpJOTHW *

activities Mon> PB ORD Poenpzhenie

Formation of 10 AiUtuin evaluation of the results of the INRsnEsS "IMB

Rice. 4. Stages of building an ISMS

relating to the construction and operation of information systems of the company, planned to use mechanisms and means of ensuring information security. In addition, action plans for the stages of work are drawn up, agreed upon and approved by the company's management.

Stage 2. Checking for compliance with ISO / IEC 27001: 2005. Interviewing and questioning managers and employees of departments. Analysis of the company's ISMS for compliance with the requirements of ISO / IEC 27001: 2005.

Stage 3. Analysis of regulatory and organizational and administrative documents based on organizational structure companies. Based on its results, the protected scope (OA) is determined and a sketch of the company's information security policy is developed.

Stage 4. Analysis and assessment of information security risks. Development of a methodology for managing company risks and analyzing them. Analysis of information resources of the company, primarily LAN, in order to identify threats and vulnerabilities of protected ML assets. Inventory of assets. Conducting consultations for the company's specialists and assessing the compliance of the actual and required level of security. Calculation of risks, determination of the current and acceptable level of risk for each specific asset. Risk ranking, selection of complexes of measures to reduce them and calculation of the theoretical efficiency of implementation.

Stage 5. Development and implementation of IS action plans. Development of a statement on the applicability of controls in accordance with ISO / IEC 27001: 2005. Development of a plan for accounting and elimination of risks. Preparation of reports for the head of the company.

Stage 6. Development of regulatory and OSA. Development and approval of the final IB policy and related provisions (private policies). Development of standards, procedures and instructions to ensure the normal functioning and operation of the company's ISMS.

Stage 7. Implementation of comprehensive measures to reduce IS risks and assess their effectiveness in accordance with the plan for processing and eliminating risks approved by the management.

Stage 8. Personnel training. Development of action plans and implementation of programs for training and improving the competence of company employees in order to effectively convey information security principles to all employees and

primarily those who work in structural units providing key business processes.

Stage 9. Formation of reporting. Systematization of survey results and preparation of reports. Presentation of the results of work for the heads of the company. Preparation of documents for licensing for compliance with ISO / IEC 27001: 2005 and their transfer to the certifying organization.

Stage 10. Analysis and assessment of the results of the ISMS implementation based on the methodology that assesses the reliability of the company's ISMS functioning. Development of recommendations for improving the company's information security management system.

Analyzing each stage of ISMS implementation, we can say that ISO 27001 has a clear structure and requirements that will allow you to build a working system in which there will be interaction at all necessary levels. But we must not forget that the main difference between the ISMS and the QMS is that the first system is focused on information security.

The importance of information security in the modern world

Today's business cannot exist without information technology. It is known that about 70% of the world's total national product depends in one way or another on the information stored in information systems. The widespread introduction of computers has created not only well-known conveniences, but also problems, the most serious of which is the problem of information security.

Business leaders must understand the importance of information security, learn to predict and manage trends in this area. In this they can be helped by the introduction of an ISMS, which in its structure has the potential for development, transparency of management, flexibility to any changes. Along with controls for computers and computer networks, the ISO 27001 standard pays great attention to the development of security policy, work with personnel (hiring, training, dismissal from work), ensuring continuity production process, regulatory requirements, while some technical issues are detailed in other standards of the series

ISO 27000. There are many advantages of introducing ISIB into the company, some of them are shown in Fig. 5.

Glbkshl Scale pODr> h; b1 [h-th

Decline ¡juvum

HiKiinimi n II11 \ 11 H "G 1111 111 pudnT

Prtrtshal wyrdoctle

"Ji | m | ill p. Ki u:

azhshchtnya # tsn ^ st

Rice. 5. Benefits of implementing an information security management system

The benefits of ISO should be pointed out

Demonstration of safety competence. ISO 27001 is a practical guide for an organization to help formulate security requirements to achieve the required level of security and meet specific security objectives. It is especially important for organizations to be competent in four areas of safety management, including: identifying and assessing company assets, assessing risks and defining criteria for accepting risks, managing and adopting these items, and continual improvement. general program security of the organization.

Ensuring customer confidence. ISO 27001 provides independent evidence that corporate governance programs are supported by international best practices. ISO 27001 certification provides peace of mind to corporations seeking to demonstrate integrity to customers, shareholders and potential partners, and most importantly, to show that the company has successfully implemented a robust information security management system. For many heavily regulated industries such as finance or Internet services, supplier selection can

be limited to those organizations that are already ISO 27001 certified.

More efficient use of resources. Thanks to the use of the process approach, it is possible to optimize the processes taking place in the company. Which entails a decrease in the use of resources, for example, time.

Continuous improvement. The ISMS uses the PCDA model, which allows you to regularly check the status of the entire system, analyze and improve the management system

1. Image, brand. Certification for compliance with ISO 27001 opens up wide opportunities for the company: access to the international level, new partnerships, more clients, new contracts, success in tenders. The presence of an ISMS in a company is an indicator of a high level of development.

2. Flexibility of the ISMS. Regardless of changes in processes, new technologies, the basis of the ISMS structure remains effective. The ISMS adapts quite easily to innovations by modernizing existing and introducing new countermeasures.

3. Scalability of the implementation of the standard. Since ISO 27001 implies scoping, only a subset of the processes can be certified. You can start implementing the ISMS in the most significant OA for the company, and only later expand.

4. Audit. Many Russian companies perceive audit work as a disaster. ISO 27001 shows an international approach to auditing: first of all, the company's interest in actually meeting the standards, and not doing the certification somehow, just for show.

5. Regular internal or external audits allow correcting violations, improving the ISMS, and significantly reducing risks. First of all, the company needs it for its own peace of mind, that everything is in order and the risks of losses are minimized. And already secondary - a certificate of conformity, which confirms for partners or customers that this company can be trusted.

6. Transparency of management. The use of the ISO 27001 standard provides fairly clear instructions for creating management, and

also the requirements for the documentation that must be in the company. The problem of many companies is that the existing documents for certain departments are simply not readable, because it is often impossible to figure out what is intended for whom because of the complexity of the documentation system. The hierarchy of levels of documentation, from information security policy to the description of specific procedures, makes the use of existing rules, regulations, and other things much easier. Also, the introduction of SM & B involves staff training: holding seminars, mailings, hanging warning posters, which significantly increases awareness of information security among ordinary employees.

In conclusion, it should be noted that in modern business the integrality of the basic quality management system, built in accordance with the requirements of the ISO 9001 standard, and the gaining position of the information security management system is obvious.

Today, the market leader will be companies that monitor not only the quality indicators of products and services, but also the levels of confidentiality, integrity and availability of information about them. Forecasting and risk assessment is also an important success factor, which requires a competent approach and the use of the best international practices. Joint implementation and certification of quality management and information security systems will help solve a wide range of problems for any industry or trade, which in turn will lead to a qualitative increase in the level of services provided.

Literature

1. Dorofeev A. V., Shahalov I. Yu. Fundamentals of information security management modern organization// Legal informatics. 2013. No. 3. S. 4-14.

2. Chashkin VN Information security management as an element of the organization's information and technological activity management system // Security of information technologies. 2009. No. 1. S. 123-124.

3. Goryachev VV New GOST for QMS. Main differences from GOST RV 15.002-2003 //

Quality management methods. 2013. No. 7. S. 18-23.

4. Dotsenko SP, Pshenetskiy SP Approach to building a model of information security management systems // Polythematic network electronic scientific journal of the Kuban State Agrarian University. 2009. No. 53. S. 47-56.

5. Kamenev AV, Zavoritko EV Model of the information security management system at the enterprise (in the organization) // Intellect. Innovation. Investments. 2013. No. 1. S. 111-114.

6. Soloviev A. M. Normative and methodological base in the field of information security // Economics, statistics and informatics. Bulletin of UMO. 2012. No. 1. S. 174-181.

7. Kozin IF, Livshits II Information security. Integration of international standards into the information security system of Russia // Informatization and communication. 2010. No. 1. S. 50-55.

8. Kolodin VS Certification of integrated management systems // Bulletin of the Irkutsk State Technical University. 2010. T. 41. No. 1. S. 44-48.

9. Merkushova NI, Naumenko Yu. A., Merkushova Yu. A. Integrated management systems: prerequisites for creation at Russian enterprises // Young scientist.

2013. No. 12 (59). S. 327-331.

10. Voropaeva V. Ya., Shcherbov IL, Khaustova ED Information security management of information and telecommunication systems based on the "P1an-Do-Check-Act" model // Naukov1 sling of the Donetsk National Technical University. Ser1ya: "Computationally technical and automated". 2013. No. 2 (25). S. 104-110.

11. Dorofeev AV, Markov AS Information security management: basic concepts // Cybersecurity issues.

2014. No. 1 (2). S. 67-73.

12. Shper VL About the standard 18O / 1EC 27001 // Methods of quality management. 2008. No. 3. S. 60-61.

13. Markov A.S., Tsirlov V.L. Risk management - normative vacuum of information security // Open systems... DBMS. 2007. No. 8. S. 63-67.

14. Matveev V. A., Tsirlov V. L. State and development prospects of the information security industry of the Russian Federation

tions in 2014 // Cybersecurity Issues. 2013. No. 1 (1). S. 61-64.

15. Drums A. V. Standardization of the process of developing safe software tools// Cybersecurity issues. 2013. No. 1 (1). S. 37-41.

16. Markov A.S., Tsirlov V.L. Guidelines for cybersecurity in the context

ISO 27032 // Cybersecurity issues. 2014. No. 1 (2). S. 28-35. 17. Khramtsovskaya N. What a manager needs to know about information security // Kadrovik. 2009. No. 4. S. 061-072.

In the world of information technology, the issue of ensuring the integrity, reliability and confidentiality of information is becoming a priority. Therefore, recognizing the need for an organization to have an information security management system (ISMS) is a strategic decision.

It was designed to create, implement, maintain and continually improve an ISMS in an enterprise, and by applying this Standard to external partners, it becomes apparent that the organization is able to meet its own information security requirements. This article will discuss the basic requirements of the Standard and discuss its structure.

(ADV31)

The main objectives of the ISO 27001 Standard

Before proceeding to the description of the structure of the Standard, let us stipulate its main tasks and consider the history of the appearance of the Standard in Russia.

Objectives of the Standard:

establishment uniform requirements for all organizations to create, implement and improve the ISMS;
ensuring interaction between senior management and employees;
maintaining confidentiality, integrity and availability of information.

At the same time, the requirements established by the Standard are general and are intended to be applied by any organization, regardless of their type, size or nature.

History of the Standard:

In 1995, the British Standards Institute (BSI) adopted the Information Security Management Code as a national UK standard and registered it under BS 7799 - Part 1.
In 1998, BSI publishes BS7799-2 in two parts, one containing a code of practice and the other requirements for information security management systems.
In the course of subsequent revisions, the first part was published as BS 7799: 1999, Part 1. In 1999 this version of the standard was transferred to the International Organization for Certification.
This document was approved in 2000 as the international standard ISO / IEC 17799: 2000 (BS 7799-1: 2000). The latest version of this standard, adopted in 2005, is ISO / IEC 17799: 2005.
In September 2002, the second part of BS 7799 "Information Security Management System Specification" came into force. The second part of BS 7799 was revised in 2002, and at the end of 2005 was adopted by ISO as the international standard ISO / IEC 27001: 2005 " Information Technology- Security Methods - Information Security Management Systems - Requirements.
In 2005, the ISO / IEC 17799 standard was included in the line of standards of the 27th series and received new number- ISO / IEC 27002: 2005.
On September 25, 2013, the updated ISO / IEC 27001: 2013 “Information Security Management Systems” was published. Requirements". Currently, organizations are certified according to this version of the Standard.

Structure of the Standard

One of the advantages of this Standard is the similarity of its structure with ISO 9001, as it contains identical subclause headings, identical text, common terms and basic definitions. This circumstance saves time and money, since part of the documentation has already been developed during the ISO 9001 certification.

If we talk about the structure of the Standard, it is a list of ISMS requirements that are mandatory for certification and consists of the following sections:

Main sections	Appendix A
0. Introduction	A.5 Information security policies
1 area of use	A.6 Information security organization
2. Normative references	A.7 Human resources (personnel) security
3. Terms and definitions	A.8 Asset management
4. Organization context	A.9 Access control
5. Leadership	A.10 Cryptography
6. Planning	A.11 Physical and environmental safety
7. Support	A.12 Security of operations
8. Operations (Operation)	A.13 Communication security
9. Evaluation (Measurement) of performance	A.14 Purchase, development and maintenance of information systems
10. Improvement (Improvement)	A.15 Supplier relationships
	A.16 Incident management
	A.17 Business continuity
	A.18 Legal compliance

The requirements of "Appendix A" are mandatory, but the standard allows you to exclude areas that cannot be applied in the enterprise.

When implementing the Standard at an enterprise for further certification, it is worth remembering that no exceptions to the requirements established in sections 4 - 10 are allowed. These sections will be discussed further.

Let's start with Section 4 - Organization Context

Organization context

In this section, the Standard requires an organization to identify external and internal issues that are relevant to its objectives and that affect the ability of its ISMS to achieve expected results. In doing so, you should take into account the legal, regulatory and contractual obligations regarding information security. The organization should also define and document the scope and applicability of the ISMS in order to establish its scope.

Leadership

Top management should demonstrate leadership and commitment to the information security management system by, for example, ensuring that the information security policy and information security objectives are established and aligned with the organization's strategy. Also, top management should ensure that all the necessary resources for the ISMS are provided. In other words, it should be obvious to employees that management is involved in information security issues.

Information security policy should be documented and communicated to employees. This document resembles the ISO 9001 quality policy. It should also be appropriate for the purpose of the organization and include information security objectives. It is good if these are real goals, such as preserving the confidentiality and integrity of information.

The management is also expected to distribute functions and responsibilities related to information security among employees.

Planning

In this section we come to the first stage of the PDCA (Plan - Do - Check - Act) management principle - plan, execute, check, act.

When planning the information security management system, the organization should take into account the issues mentioned in Clause 4 and determine the risks and potential opportunities that need to be taken into account in order to ensure that the ISMS can achieve expected results, prevent unwanted effects, and achieve continuous improvement.

When planning how to achieve its information security objectives, the organization should determine:

what will be done;
what resources will be required;
who will be in charge;
when goals are achieved;
how the results will be assessed.

In addition, the organization shall retain data on information security objectives as documented information.

Security

The organization shall determine and provide the resources needed to develop, implement, maintain and continually improve the ISMS, this includes both personnel and documentation. With regard to personnel, the organization is expected to recruit qualified and competent information security personnel. The qualifications of employees must be confirmed by certificates, diplomas, etc. It is possible to attract third-party specialists under the contract, or train your employees. As for the documentation, it should include:

documented information required by the Standard;
documented information determined by the organization to be necessary to ensure the effectiveness of the information security management system.

The documented information required by the ISMS and the Standard must be controlled to ensure that it:

available and suitable for use where and when it is needed, and
appropriately protected (for example, from loss of confidentiality, misuse, or loss of integrity).

Functioning

This section talks about the second phase of the PDCA governance principle - the need for an organization to manage its processes to ensure compliance and to perform the activities identified in the Planning section. It also states that an organization should perform information security risk assessments at planned intervals or when significant changes are proposed or occurred. The organization shall retain the results of the information security risk assessment as documented information.

Performance evaluation

The third stage is verification. The organization shall evaluate the operation and effectiveness of the ISMS. For example, it must conduct an internal audit in order to obtain information about whether

Is the information security management system consistent
- the organization's own requirements for its information security management system;
- the requirements of the Standard;
that the information security management system is effectively implemented and operating.

It goes without saying that the scope and timing of audits should be planned in advance. All results must be documented and retained.

Improvement

The point of this section is to determine the course of action when a nonconformity is identified. The organization needs to correct inconsistencies, consequences and analyze the situation so that this does not happen in the future. All nonconformities and corrective actions should be documented.

This concludes the main sections of the Standard. Appendix A provides more specific requirements to be met by an organization. For example, in terms of access control, use mobile devices and information carriers.

Benefits from the implementation and certification of ISO 27001

increasing the status of the organization and, accordingly, the trust of partners;
increasing the stability of the organization's functioning;
increasing the level of protection against information security threats;
ensuring the required level of confidentiality of information of interested parties;
expanding the organization's ability to participate in large contracts.

The economic benefits are:

independent confirmation by the certification body that the organization has a high level of information security controlled by competent personnel;
proof of compliance with applicable laws and regulations (compliance with the system of mandatory requirements);
demonstration of a certain high level of management systems to ensure the proper level of service to customers and partners of the organization;
Demonstration of regular audits of management systems, performance appraisals and continuous improvement.

Certification

An organization can be certified by accredited agencies in accordance with this standard. The certification process consists of three stages:

Stage 1 - the auditor's study of key ISMS documents for compliance with the requirements of the Standard - can be performed both on the territory of the organization and by transferring these documents to an external auditor;
2nd stage - detailed audit, including testing of implemented measures, and assessment of their effectiveness. Includes a complete study of the documents required by the standard;
3rd stage - performing an inspection audit to confirm that the certified organization meets the stated requirements. Performed on a periodic basis.

Outcome

As you can see, the use of this standard at the enterprise will allow to qualitatively improve the level of information security, which is expensive in the conditions of modern realities. The standard contains many requirements, but the most important requirement is to do what is written! Without actually applying the requirements of the standard, it turns into an empty set of pieces of paper.

GOST R ISO / IEC 27001-2006 “Information technology. Methods and means of ensuring safety. Information security management systems. Requirements"

The developers of the standard note that it was prepared as a model for the development, implementation, operation, monitoring, analysis, support and improvement of the information security management system (ISMS). ISMS (English - information security management system; ISMS) is defined as part of the overall management system based on the use of business risk assessment methods for the development, implementation, operation, monitoring, analysis, support and improvement of information security. A management system includes an organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

The standard assumes the use of a process approach for the development, implementation, operation, monitoring, analysis, support and improvement of the organization's ISMS. It is based on the Plan - Do - Check - Act (PDCA) model, which can be applied to structure all ISMS processes. In fig. 4.4 shows how the ISMS, using information security requirements and the expected results of interested parties as input, through the necessary actions and processes, provides information security outputs that meet these requirements and the expected results.

Rice. 4.4.

At the stage "Development of an information security management system" the organization should do the following:

- define the scope and boundaries of the ISMS;
- determine the ISMS policy based on the characteristics of the business, organization, its location, assets and technologies;
- determine the approach to risk assessment in the organization;
- identify risks;
- analyze and assess risks;
- identify and evaluate different options for risk treatment;
- select objectives and controls for risk treatment;
- obtain management approval of the anticipated residual risks;
- obtain permission from the management for the implementation and operation of the ISMS;
- prepare a Statement of Applicability.

Stage " Implementation and operation of the information security management system " suggests that the organization should:

- develop a risk treatment plan that defines the appropriate management actions, resources, responsibilities and priorities for information security risk management;
- implement a risk treatment plan to achieve the intended management objectives, which includes financing issues, as well as the distribution of roles and responsibilities;
- implement the selected management measures;
- determine the way to measure the effectiveness of the selected control measures;
- implement training and professional development programs for employees;
- manage the work of the ISMS;
- manage ISMS resources;
- implement procedures and other control measures to ensure rapid detection of information security events and response to information security incidents.

The third stage " Monitoring and analysis of the information security management system " requires:

- carry out monitoring and analysis procedures;
- conduct regular analysis of the effectiveness of the ISMS;
- measure the effectiveness of controls to verify compliance with IS requirements;
- revise risk assessments at specified time intervals, analyze residual risks and established acceptable levels of risks, taking into account changes;
- conduct internal ISMS audits at specified time intervals;
- regularly conduct an analysis of the ISMS by the management of the organization in order to confirm the adequacy of the ss functioning and determine the directions for improvement;
- update IS plans taking into account the results of analysis and monitoring;
- record actions and events that could affect the effectiveness or operation of the ISMS.

Finally, the stage "Support and improvement of the information security management system" suggests that the organization should regularly conduct the following activities:

- identify opportunities for improving the ISMS;
- take the necessary corrective and preventive actions, use in practice the IS experience gained both in their own organization and in other organizations;
- transmit detailed information on actions to improve the ISMS to all interested parties, while the degree of its detail should correspond to the circumstances and, if necessary, agree on further actions;
- ensure the implementation of improvements to the ISMS to achieve the planned objectives.

Further in the standard, the requirements for documentation are given, which should include the provisions of the ISMS policy and a description of the area of operation, a description of the methodology and a risk assessment report, a risk treatment plan, and documentation of related procedures. A process for managing ISMS documents should also be defined, including updating, use, storage and disposal.

To provide evidence of compliance with the requirements and the effectiveness of the ISMS, it is necessary to maintain and maintain records and records of the execution of processes. Examples include visitor logs, audit reports, etc.

The standard specifies that the management of the organization is responsible for providing and managing the resources needed to establish an ISMS and for organizing training for personnel.

As previously noted, the organization should conduct internal ISMS audits in accordance with an approved schedule to assess its functionality and compliance with the standard. And the management should conduct an analysis of the information security management system.

Also, work should be carried out to improve the information security management system: to increase its effectiveness and the level of compliance with the current state of the system and the requirements imposed on it.

(ISMS)- that part of the overall management system that is based on a business risk approach in the creation, implementation, operation, monitoring, analysis, support and improvement of information security.

If built in accordance with the requirements of ISO / IEC_27001, it is based on the PDCA model:

Plan

Check

Act

Information security concept

The ISO 27001 standard defines information security as: “maintaining the confidentiality, integrity and availability of information; in addition, other properties can be included, such as authenticity, non-repudiation, reliability. "

Confidentiality - ensuring the availability of information only for those who have the appropriate authority (authorized users).

Integrity - ensuring the accuracy and completeness of information, as well as methods of its processing.

Availability - providing access to information to authorized users when necessary (on demand).

4 Information security management system

4.1 General requirements

The organization shall establish, implement, use, control, revise, maintain and improve the documented ISMS provisions throughout the organization's business activities and the risks it faces. For the practical benefit of this International Standard, the process used is based on the PDCA model shown in Fig. 1.

4.2 Establishment and management of an ISMS

4.2.1 Creating an ISMS

The organization should do the following.

a) Taking into account the specifics of the organization's activities, the organization itself, its location, assets and technology, determine the scope and boundaries of the ISMS, including details and justifications for excluding any provisions of the document from the draft ISMS (see 1.2).

b) Taking into account the specifics of the organization's activities, the organization itself, its location, assets and technology, develop an ISMS policy that:

1) includes a system for setting goals (objectives) and establishes the general direction of management and principles of action regarding information security;

2) takes into account business and legal or regulatory requirements, contractual security obligations;

3) is attached to the strategic risk management environment in which the creation and maintenance of an ISMS takes place;

4) establishes the criteria against which the risk will be assessed (see 4.2.1 c)); and

5) approved by the management.

NOTE: For the purposes of this International Standard, an ISMS policy is an extended set of information security policies. These policies can be described in one document.

c) Develop a framework for risk assessment in the organization.

1) Determine a risk assessment methodology that is appropriate for the ISMS and established business information security, legal and regulatory requirements.

2) Develop criteria for accepting risk and determine acceptable levels of risk (see 5.1f).

The selected risk assessment methodology should ensure that the risk assessment produces comparable and reproducible results.

NOTE: There are different risk assessment methodologies. Examples of risk assessment methodologies are considered in ISO / IEC TU 13335-3, Information Technology - Management RecommendationsITSecurity - Management TechniquesITSecurity.

d) Identify risks.

1) Define assets within the scope of the ISMS, and owners2 (2 The term "owner" is identified with an individual or entity that is approved to be responsible for controlling production, development Maintenance, application and security of assets. The term "owner" does not mean that the person actually has any ownership rights to the asset) of these assets.

2) Identify the hazards to these assets.

3) Identify vulnerabilities in the protection system.

4) Identify impacts that destroy the confidentiality, integrity and availability of assets.

e) Analyze and assess risks.

1) Assess the damage to the organization's business that can be caused by the failure of the protection system, as well as a consequence of the violation of confidentiality, integrity, or availability of assets.

2) Determine the likelihood of a security failure in light of the prevailing hazards and vulnerabilities, asset-related impacts and controls currently in place.

3) Assess the levels of risk.

4) Determine the acceptability of the risk, or require it to be reduced, using the risk acceptability criteria set out in 4.2.1c) 2).

f) Identify and evaluate instruments for risk reduction.

Possible actions include:

1) Applying suitable controls;

2) Conscious and objective acceptance of risks, ensuring their unconditional compliance with the requirements of the organization's policy and the criteria for risk tolerance (see 4.2.1c) 2));

3) Risk avoidance; and

4) Transfer of relevant business risks to another party, for example, insurance companies, suppliers.

g) Select tasks and controls to mitigate risks.

Tasks and controls should be selected and implemented in accordance with the requirements established by the risk assessment and risk reduction process. This choice should take into account both the criteria for risk tolerance (see 4.2.1c) 2)) as well as legal, regulatory and contractual requirements.

The tasks and controls from Appendix A should be selected as part of this process to meet specified requirements.

Since not all tasks and controls are listed in Appendix A, additional tasks may be selected.

NOTE: Appendix A contains a comprehensive list of management objectives that have been identified as most relevant to organizations. In order not to miss a single important point from the control options, using this International Standard should be guided by Appendix A as the starting point for sampling control.

h) Achieve approval of the management of anticipated residual risks.

4) facilitate the detection of security events and thus, using certain indicators, prevent security incidents; and

5) determine the effectiveness of actions taken to prevent security breaches.

b) Conduct regular reviews of the effectiveness of the ISMS (including discussion of the ISMS policy and its objectives, review of security controls), taking into account the results of audits, incidents, results of performance measurements, suggestions and recommendations of all interested parties.

c) Evaluate the effectiveness of controls to determine if safety requirements are being met.

d) Check the risk assessment for the planned periods and check the residual risks and risk tolerances, taking into account changes in:

1) organizations;

2) technology;

3) business goals and processes;

4) identified threats;

5) the effectiveness of the implemented management tools; and

6) external events, such as changes in the legal and management environment, changed contractual obligations, changes in the social climate.

e) Conduct internal audits of the ISMS during planned periods (see 6)

NOTE: Internal audits, sometimes called primary audits, are conducted on behalf of the organization itself for its own purposes.

f) Review the management of the ISMS on a regular basis to ensure that the situation remains valid and the ISMS is being improved.

g) Update security plans based on monitoring and audit findings.

h) Record actions and events that could affect the effectiveness or performance of the ISMS (see 4.3.3).

4.2.4 Maintaining and improving the ISMS

The organization must continually do the following.

a) Implement specific fixes in the ISMS.

b) Take appropriate corrective and preventive action in accordance with 8.2 and 8.3. Apply the knowledge gained by the organization itself and from the experience of other organizations.

c) Communicate their actions and improvements to all interested parties in a level of detail appropriate to the situation; and, accordingly, coordinate their actions.

d) Verify that the improvements have achieved their intended purpose.

4.3 Documentation requirements

4.3.1 General

The documentation should include protocols (records) of management decisions, to convince that the need for action is due to decisions and management policies; and assure the reproducibility of the recorded results.

It is important to be able to demonstrate the feedback of the selected controls to the results of the risk assessment and risk reduction processes, and then to the ISMS policy and its objectives.

The ISMS documentation should include:

a) a documented statement of the ISMS policy and objectives (see 4.2.1b));

b) ISMS provision (see 4.2.1a));

c) the concept and controls in support of the ISMS;

d) a description of the risk assessment methodology (see 4.2.1c));

e) risk assessment report (see 4.2.1c) - 4.2.1g));

f) risk reduction plan (see 4.2.2b));

g) a documented concept necessary for the organization to ensure that its information security processes are planned, operated and managed effectively and describe how the effectiveness of controls is measured (see 4.2.3c));

h) documents required by this International Standard (see 4.3.3); and

i) Statement of Applicability.

NOTE 1: For the purposes of this International Standard, the term “documented concept” means that the concept is implemented, documented, implemented and followed.

NOTE 2: The size of the ISMS documentation in different organizations can vary depending on:

The size of the organization and the type of its assets; and

The scale and complexity of the security requirements and the managed system.

NOTE 3: Documents and reports can be submitted in any form.

4.3.2 Document control

The documents required by the ISMS need to be protected and regulated. It is necessary to approve the documentation procedure necessary to describe management actions for:

a) establishing the compliance of documents with certain standards prior to their publication;

b) checking and updating documents as necessary, re-approving documents;

c) ensuring that changes are consistent with the current state of revised documents;

d) ensuring the availability of important versions of valid documents;

e) ensuring that documents are understandable and legible;

f) making documents available to those who need them; as well as their transfer, storage and finally destruction in accordance with the procedures applied depending on their classification;

g) establishing the authenticity of documents from external sources;

h) controlling the distribution of documents;

i) preventing the unintended use of obsolete documents; and

j) applying an appropriate identification method to them if they are kept just in case.

4.3.3 Control of records

Records should be created and maintained to provide evidence of compliance and the effective operation of the ISMS. Records must be protected and verified. The ISMS should take into account any legal and regulatory requirements and contractual obligations. Records must be understandable, easily identifiable and retrievable. The controls necessary for the identification, storage, protection, recovery, retention, and destruction of records must be documented and implemented.

The records should include information on the implementation of the activities described in 4.2, and on all incidents and significant safety incidents related to the ISMS.

Examples of entries are guestbook, audit trails, and completed access authorization forms.

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

"Information Security Management System"

management international standard

Vconducting

An information security management system is a set of processes that work in a company to ensure the confidentiality, integrity and availability of information assets. The first part of the essay examines the process of implementing a management system in an organization, and also provides the main aspects of the benefits of implementing an information security management system.

Fig. 1. Control cycle

The list of processes and recommendations on how best to organize their functioning are given in the international standard ISO 27001: 2005, which is based on the Plan-Do-Check-Act management cycle. According to him life cycle The ISMS consists of four types of activities: Creation - Implementation and operation - Monitoring and analysis - Maintenance and improvement (Fig. 1). This standard will be discussed in more detail in the second part.

WITHsystemmanagementinformationsecurity

An information security management system (ISMS) refers to that part of the overall management system that is based on a business risk approach in the creation, implementation, operation, monitoring, analysis, support and improvement of information security. ISMS processes are designed in accordance with the requirements of ISO / IEC 27001: 2005, which is based on the cycle

The work of the system is based on the approaches of the modern theory of management risks, which ensures its integration into the overall risk management system of the organization.

The implementation of an information security management system implies the development and implementation of a procedure aimed at systematic identification, analysis and mitigation of information security risks, that is, risks as a result of which information assets (information in any form and of any nature) will lose confidentiality, integrity and availability.

To ensure systematic mitigation of information security risks, based on the results of the risk assessment, the following processes are being implemented in the organization:

· Management of the internal organization of information security.

· Ensuring information security when interacting with third parties.

· Management of the register of information assets and the rules for their classification.

· Equipment safety management.

· Ensuring physical security.

· Ensuring information security of personnel.

· Planning and adoption of information systems.

· Backup.

· Securing the network.

Information security management system processes affect all aspects of the organization's IT infrastructure management, since information security is the result of the sustainable functioning of information technology-related processes.

When building an ISMS in companies, specialists carry out the following work:

· Organize project management, form a project team on the part of the customer and the contractor;

· Define the area of activity (AO) of the ISMS;

Survey the organization in the OD ISMS:

o in terms of the organization's business processes, including analysis negative consequences information security incidents;

o in terms of the organization's management processes, including the existing quality management and information security management processes;

o in terms of IT infrastructure;

o in terms of information security infrastructure.

Develop and agree on an analytical report containing a list of the main business processes and an assessment of the consequences of the implementation of information security threats in relation to them, a list of management processes, IT systems, information security subsystems (ISS), an assessment of the degree to which the organization fulfills all ISO 27001 requirements and an assessment of the maturity of processes organizations;

· Select the initial and target level of ISMS maturity, develop and approve the ISMS Maturity Improvement Program; develop high-level information security documentation:

o Concept of information security,

o IS and ISMS policies;

· Select and adapt the risk assessment methodology applicable in the organization;

· Select, supply and deploy software used to automate ISMS processes, organize training for company specialists;

· Assess and process risks, during which measures of Appendix A of standard 27001 are selected to reduce them and requirements for their implementation in the organization are formulated, technical means of information security are pre-selected;

· Develop preliminary designs of the PIB, assess the cost of risk treatment;

· Arrange for the approval of the risk assessment by the top management of the organization and develop the Statement of Applicability; develop organizational measures to ensure information security;

· Develop and implement technical projects on the implementation of technical information security subsystems that support the implementation of the selected measures, including the supply of equipment, commissioning, development of operational documentation and user training;

· Provide consultations during the operation of the constructed ISMS;

· Organize training for internal auditors and conduct internal ISMS audits.

The result of these works is a functioning ISMS. Benefits from the implementation of an ISMS in a company are achieved through:

· Effective management of compliance with legal requirements and business requirements in the field of information security;

· Prevention of IS incidents and damage reduction in case of their occurrence;

· Increasing the culture of information security in the organization;

· Increasing maturity in the field of information security management;

· Optimization of spending on information security.

ISO / IEC27001-- internationalstandardoninformationsecurity

This standard was developed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard contains information security requirements for the creation, development and maintenance of an ISMS. ISO 27001 specifies requirements for an ISMS to demonstrate the ability of an organization to protect its information assets. The international standard uses the concept of "information protection" and is interpreted as ensuring the confidentiality, integrity and availability of information. The basis of the standard is the information risk management system. This standard can also be used to assess conformity by interested internal and external parties.

The standard adopts a process approach to create, implement, operate, continuously monitor, analyze, maintain and improve an information security management system (ISMS). It consists in the application of a system of processes within an organization, together with the identification and interaction of these processes, as well as their management.

The international standard adopts the Plan-Do-Check-Act (PDCA) model, which is also called the Shewhart-Deming cycle. This cycle is used to structure all ISMS processes. Figure 2 shows how the ISMS takes information security requirements and stakeholder expectations as inputs and through the necessary actions and processes produces information security outcomes that meet those requirements and expectations.

Planning is the phase of creating an ISMS, creating an inventory of assets, assessing risks and choosing measures.

Figure 2. PDCA model applied to ISMS processes

Implementation is the stage of implementation and implementation of appropriate measures.

Review is the phase of evaluating the effectiveness and performance of the ISMS. Usually performed by internal auditors.

Action - taking preventive and corrective actions.

Vconclusions

ISO 27001 describes a general model for the implementation and operation of an ISMS and actions to monitor and improve an ISMS. ISO intends to harmonize various management system standards such as ISO / IEC 9001: 2000, which deals with quality management, and ISO / IEC 14001: 2004, which deals with environmental management systems. The purpose of ISO is to ensure consistency and integration of the ISMS with other management systems in the company. The similarity of standards allows the use of similar tools and functionality for implementation, management, revision, verification and certification. The implication is that if a company has implemented other management standards, it can use a unified audit and management system that is applicable to quality management, environmental management, safety management, etc. By implementing an ISMS, senior management gains the means to monitor and manage security, which reduces residual business risks. After implementing an ISMS, the company can formally ensure the security of information and continue to comply with the requirements of customers, legislation, regulators and shareholders.

It should be noted that in the legislation of the Russian Federation there is a document GOST R ISO / IEC 27001-2006, which is a translated version of the international standard ISO27001.

WITHsqueakliterature

(1) Korneev I.R., Belyaev A.V. Information security of the enterprise. - SPb .: BHV-Petersburg, 2003 .-- 752 p .: ill.

2.International standard ISO 27001 (http://www.specon.ru/files/ISO27001.pdf) (date of access: 05/23/12)

3.National standard Russian Federation GOST R ISO / IEC 27003 - "Information technology. Security methods. Guidelines for the implementation of an Information Security Management System" (http://niisokb.ru/news/documents/IDT%20ISO%20IEC%2027003-2011-09-14. pdf) (date accessed: 23.05.12)

4. Skiba V.Yu., Kurbatov V.A. Guidelines for protecting against internal threats to information security. SPb .: Peter, 2008 .-- 320 p .: ill.

5. Article of the free encyclopedia "Wikipedia", "Management system

information security "(http://ru.wikipedia.org/wiki/%D0%A1%D0%9C%D0%98%D0%91) (date accessed: 23.05.12)

6. Sigurjon Thor Arnason and Keith D. Willett "How to Achieve 27001 Certification"

Posted on Allbest.ru