Information security management system. Legislative base of the Russian Federation. Information Risk Management

In the world information technologies the issue of ensuring the integrity, reliability and confidentiality of information becomes a priority. Therefore, the recognition of the need for a management system in the organization information security(ISMS) is a strategic decision.

It was designed to create, implement, maintain and continually improve an ISMS in an enterprise, and by applying this Standard to external partners, it becomes apparent that the organization is able to meet its own information security requirements. This article will discuss the basic requirements of the Standard and discuss its structure.

(ADV31)

The main objectives of the ISO 27001 Standard

Before proceeding to the description of the structure of the Standard, let us stipulate its main tasks and consider the history of the appearance of the Standard in Russia.

Objectives of the Standard:

• establishment uniform requirements for all organizations to create, implement and improve the ISMS;
• ensuring interaction between senior management and employees;
• maintaining confidentiality, integrity and availability of information.

At the same time, the requirements established by the Standard are general and are intended to be applied by any organization, regardless of their type, size or nature.

History of the Standard:

• In 1995, the British Standards Institute (BSI) adopted the Information Security Management Code as a national UK standard and registered it under BS 7799 - Part 1.
• In 1998, BSI publishes BS7799-2 in two parts, one containing a code of practice and the other requirements for information security management systems.
• In the course of subsequent revisions, the first part was published as BS 7799: 1999, Part 1. In 1999 this version of the standard was transferred to the International Organization for Certification.
• This document was approved in 2000 as the international standard ISO / IEC 17799: 2000 (BS 7799-1: 2000). Latest version of this standard, adopted in 2005, is ISO / IEC 17799: 2005.
• In September 2002, the second part of BS 7799 "Information Security Management System Specification" came into force. The second part of BS 7799 was revised in 2002, and at the end of 2005 was adopted by ISO as the international standard ISO / IEC 27001: 2005 "Information technology - Security techniques - Information security management systems - Requirements".
• In 2005, the ISO / IEC 17799 standard was included in the line of standards of the 27th series and received new number- ISO / IEC 27002: 2005.
• On September 25, 2013, the updated ISO / IEC 27001: 2013 “Information Security Management Systems” was published. Requirements". Currently, organizations are certified according to this version of the Standard.

Structure of the Standard

One of the advantages of this Standard is the similarity of its structure with ISO 9001, as it contains identical headings of subsections, identical text, common terms and basic definitions. This circumstance saves time and money, since part of the documentation has already been developed during the ISO 9001 certification.

If we talk about the structure of the Standard, it is a list of ISMS requirements that are mandatory for certification and consists of the following sections:

The requirements of "Appendix A" are mandatory, but the standard allows you to exclude areas that cannot be applied in the enterprise.

When implementing the Standard at an enterprise for further certification, it is worth remembering that no exceptions to the requirements established in sections 4 - 10 are allowed. These sections will be discussed further.

Let's start with Section 4 - Organization Context

Organization context

In this section, the Standard requires an organization to identify external and internal issues that are relevant to its objectives and that affect the ability of its ISMS to achieve expected results. In doing so, you should take into account the legal, regulatory and contractual obligations regarding information security. The organization should also define and document the scope and applicability of the ISMS in order to establish its scope.

Leadership

Top management should demonstrate leadership and commitment to the information security management system by, for example, ensuring that the information security policy and information security objectives are established and aligned with the organization's strategy. Also, top management should ensure that all the necessary resources for the ISMS are provided. In other words, it should be obvious to employees that management is involved in information security issues.

Information security policy should be documented and communicated to employees. This document resembles the ISO 9001 quality policy. It should also be appropriate for the purpose of the organization and include information security objectives. It is good if these are real goals, such as maintaining the confidentiality and integrity of information.

The management is also expected to distribute functions and responsibilities related to information security among employees.

Planning

In this section we come to the first stage of the PDCA (Plan - Do - Check - Act) management principle - plan, execute, check, act.

When planning an information security management system, the organization should take into account the issues mentioned in Clause 4 and determine the risks and potential opportunities that need to be taken into account in order to ensure that the ISMS can achieve expected results, prevent unwanted effects, and achieve continuous improvement.

When planning how to achieve its information security objectives, the organization should determine:

• what will be done;
• what resources will be required;
• who will be in charge;
• when goals are achieved;
• how the results will be assessed.

In addition, the organization shall retain data on information security objectives as documented information.

Security

The organization shall determine and provide the resources needed to develop, implement, maintain and continually improve the ISMS, this includes both personnel and documentation. With regard to personnel, the organization is expected to recruit qualified and competent information security personnel. The qualifications of employees must be confirmed by certificates, diplomas, etc. It is possible to attract third-party specialists under the contract, or train your employees. As for the documentation, it should include:

• documented information required by the Standard;
• documented information determined by the organization to be necessary to ensure the effectiveness of the information security management system.

The documented information required by the ISMS and the Standard must be controlled to ensure that it:

• available and suitable for use where and when it is needed, and
• appropriately protected (for example, from loss of confidentiality, misuse, or loss of integrity).

Functioning

This section talks about the second phase of the PDCA governance principle - the need for an organization to manage its processes to ensure compliance and to perform the activities identified in the Planning section. It also states that an organization should perform information security risk assessments at planned intervals or when significant changes are proposed or occurred. The organization shall retain the results of the information security risk assessment as documented information.

Performance evaluation

The third stage is verification. The organization shall evaluate the operation and effectiveness of the ISMS. For example, it must conduct an internal audit in order to obtain information about whether

1. Is the information security management system compliant
   • the organization's own requirements for its information security management system;
   • the requirements of the Standard;
2. that the information security management system is effectively implemented and operating.

It goes without saying that the scope and timing of audits should be planned in advance. All results must be documented and retained.

Improvement

The point of this section is to determine the course of action when a nonconformity is detected. The organization needs to correct inconsistencies, consequences and analyze the situation so that this does not happen in the future. All nonconformities and corrective actions should be documented.

This concludes the main sections of the Standard. Appendix A provides more specific requirements to be met by an organization. For example, in terms of access control, use mobile devices and information carriers.

Benefits from the implementation and certification of ISO 27001

• increasing the status of the organization and, accordingly, the trust of partners;
• increasing the stability of the organization's functioning;
• increasing the level of protection against information security threats;
• ensuring the required level of confidentiality of information of interested parties;
• expanding the organization's ability to participate in large contracts.

The economic benefits are:

• independent confirmation by the certification body that the organization has a high level of information security controlled by competent personnel;
• proof of compliance with applicable laws and regulations (compliance with the system of mandatory requirements);
• demonstration of a certain high level of management systems to ensure the proper level of service to customers and partners of the organization;
• Demonstration of regular audits of management systems, performance appraisals and continuous improvement.

Certification

An organization can be certified by accredited agencies in accordance with this standard. The certification process consists of three stages:

• 1st stage - the auditor's study of key ISMS documents for compliance with the requirements of the Standard - can be performed both on the territory of the organization and by transferring these documents to an external auditor;
• 2nd stage - detailed audit, including testing of implemented measures, and assessment of their effectiveness. Includes a complete study of the documents required by the standard;
• 3rd stage - implementation of an inspection audit to confirm that the certified organization meets the stated requirements. Performed on a periodic basis.

Outcome

As you can see, the use of this standard at the enterprise will allow to qualitatively improve the level of information security, which is expensive in the conditions of modern realities. The standard contains many requirements, but the most important requirement is to do what is written! Without actually applying the requirements of the standard, it turns into an empty set of pieces of paper.

GOST R ISO / IEC 27001-2006 “Information technology. Methods and means of ensuring safety. Information security management systems. Requirements"

The developers of the standard note that it was prepared as a model for the development, implementation, operation, monitoring, analysis, support and improvement of the information security management system (ISMS). An ISMS (information security management system; ISMS) is defined as part of the overall management system based on the use of business risk assessment methods for the development, implementation, operation, monitoring, analysis, support and improvement of information security. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

The standard assumes the use of a process approach for the development, implementation, operation, monitoring, analysis, support and improvement of the organization's ISMS. It is based on the Plan - Do - Check - Act (PDCA) model, which can be applied to structure all ISMS processes. In fig. 4.4 shows how the ISMS, using information security requirements and the expected results of interested parties as input, through the necessary actions and processes, provides information security outputs that meet these requirements and the expected results.

Rice. 4.4.

At the stage "Development of an information security management system" the organization should do the following:

• - define the scope and boundaries of the ISMS;
• - determine the ISMS policy based on the characteristics of the business, organization, its location, assets and technologies;
• - determine the approach to risk assessment in the organization;
• - identify risks;
• - analyze and assess risks;
• - identify and evaluate different options for risk treatment;
• - select objectives and controls for risk treatment;
• - obtain management approval of the anticipated residual risks;
• - obtain permission from the management for the implementation and operation of the ISMS;
• - prepare a Statement of Applicability.

Stage " Implementation and operation of the information security management system " suggests that the organization should:

• - develop a risk treatment plan that defines the appropriate management actions, resources, responsibilities and priorities for information security risk management;
• - implement a risk treatment plan to achieve the intended management objectives, which includes financing issues, as well as the distribution of roles and responsibilities;
• - implement the selected management measures;
• - determine the way to measure the effectiveness of the selected control measures;
• - implement training and professional development programs for employees;
• - manage the work of the ISMS;
• - manage ISMS resources;
• - implement procedures and other control measures to ensure rapid detection of information security events and response to information security incidents.

The third stage " Monitoring and analysis of the information security management system " requires:

• - carry out monitoring and analysis procedures;
• - conduct regular analysis of the effectiveness of the ISMS;
• - measure the effectiveness of controls to verify compliance with IS requirements;
• - revise risk assessments at specified time intervals, analyze residual risks and established acceptable levels of risks, taking into account changes;
• - conduct internal audits of the ISMS at specified time intervals;
• - regularly conduct an analysis of the ISMS by the management of the organization in order to confirm the adequacy of the ss functioning and determine the directions for improvement;
• - update IS plans taking into account the results of analysis and monitoring;
• - record actions and events that could affect the effectiveness or operation of the ISMS.

Finally, the stage "Support and improvement of the information security management system" suggests that the organization should regularly conduct the following activities:

• - identify opportunities for improving the ISMS;
• - take the necessary corrective and preventive actions, use in practice the IS experience gained both in their own organization and in other organizations;
• - transmit detailed information on actions to improve the ISMS to all interested parties, while the degree of its detail should correspond to the circumstances and, if necessary, agree on further actions;
• - ensure the implementation of improvements to the ISMS to achieve the planned objectives.

Further in the standard, the requirements for documentation are given, which should include the provisions of the ISMS policy and a description of the area of ​​operation, a description of the methodology and a risk assessment report, a risk treatment plan, and documentation of related procedures. A process for managing ISMS documents should also be defined, including updating, use, storage and disposal.

To provide evidence of compliance with the requirements and the effectiveness of the ISMS, it is necessary to maintain and maintain records and records of the execution of processes. Examples include visitor logs, audit reports, etc.

The standard specifies that the management of the organization is responsible for providing and managing the resources needed to establish an ISMS and for organizing training for personnel.

As previously noted, the organization should conduct internal ISMS audits in accordance with an approved schedule to assess its functionality and compliance with the standard. And the management should conduct an analysis of the information security management system.

Also, work should be carried out to improve the information security management system: to increase its effectiveness and the level of compliance with the current state of the system and the requirements imposed on it.

Introduction

A fast-growing company, as well as a giant in its segment, is interested in making a profit and protecting itself from the influence of intruders. If earlier the theft of material values ​​was the main danger, then today the main role of theft occurs in relation to valuable information. The translation of a significant part of information into electronic form, the use of local and global networks create qualitatively new threats to confidential information.

Banks, management organizations, and insurance companies are especially acutely aware of the leakage of information. Information protection in the enterprise is a set of measures that ensure the safety of customer and employee data, important electronic documents and all sorts of information, secrets. Each enterprise is equipped with computer equipment and access to the World Wide Web. Attackers skillfully connect to almost every component of this system and use a large arsenal (viruses, malware, password guessing, etc.) to steal valuable information. An information security system must be implemented in every organization. Leaders need to collect, analyze and categorize all types of information that needs to be protected, and use an appropriate security system. But this will not be enough, because, in addition to technology, there is a human factor, which can also successfully leak information to competitors. It is important to properly organize the protection of your enterprise at all levels. For these purposes, an information security management system is used, with the help of which the manager will establish a continuous process of monitoring the business and ensure a high level of security of his data.

1. Relevance of the topic

For each modern enterprise, company or organization, one of the most important tasks is precisely to ensure information security. When an enterprise stably protects its information system, it creates a reliable and secure environment for its operations. Damage, leakage, lack and theft of information are always losses for every company. Therefore, the creation of an information security management system at enterprises is an urgent issue of our time.

2. Goals and objectives of the study

Analyze the ways of creating an information security management system at the enterprise, taking into account the peculiarities of the Donetsk region.

• analyze state of the art information security management systems at enterprises;
• identify the reasons for the creation and implementation of an information security management system at enterprises;
• to develop and implement an information security management system on the example of the enterprise PJSC Donetsk Mine Rescue Equipment Plant;
• evaluate the effectiveness, efficiency and economic feasibility of introducing an information security management system at the enterprise.

3. Information security management system

Information security is understood as the state of protection of information and supporting infrastructure from accidental or deliberate influences of a natural or artificial nature (information threats, threats to information security), which can cause unacceptable damage to the subjects of information relations.

Availability of information - the property of the system to provide timely unimpeded access of authorized (authorized) subjects to information of interest to them or to carry out timely information exchange between them.

Integrity of information is a property of information that characterizes its resistance to accidental or deliberate destruction or unauthorized change. Integrity can be divided into static (understood as the immutability of information objects) and dynamic (related to the correct execution of complex actions (transactions)).

Confidentiality of information is the property of information to be known and accessible only to authorized subjects of the system (users, programs, processes). Confidentiality is the most developed aspect of information security in our country.

The information security management system (hereinafter ISMS) is a part of the general management system based on approaches to business risk, intended for the establishment, implementation, management, monitoring, maintenance and improvement of information security.

The main factors affecting the protection of information and data in the enterprise are:

• Enhancement of the company's cooperation with partners;
• Business process automation;
• The tendency to an increase in the volume of information of the enterprise, which is transmitted through available communication channels;
• The upward trend in computer crimes.

The tasks of the company's information security systems are multifaceted. For example, this is the provision of reliable data storage on various media; protection of information transmitted through communication channels; restricting access to some data; creating backups and more.

A full-fledged information security of a company is real only with the right approach to data protection. In the information security system, it is necessary to take into account all the current threats and vulnerabilities.

One of the most effective tools for managing and protecting information is the information security management system built on the basis of the MS ISO / IEC 27001: 2005 model. The standard is based on process approach to the development, implementation, operation, monitoring, analysis, maintenance and improvement of the company's ISMS. It consists in the creation and application of a system of management processes that are interconnected in a continuous cycle of planning, implementation, verification and improvement of the ISMS.

This International Standard has been prepared with the aim of creating a model for the implementation, implementation, operation, monitoring, analysis, maintenance and improvement of an ISMS.

The main factors for the implementation of an ISMS:

• legislative - the requirements of the current national legislation in terms of IS, international requirements;
• competitive - compliance with the level, elitism, protection of their intangible assets, superiority;
• anti-crime - protection from raiders (white collars), prevention of mischief and secret surveillance, collection of evidence for proceedings.

The structure of information security documentation is shown in Figure 1.

Figure 1 - The structure of the documentation in the field of information security

4. Building an ISMS

ISO proponents use the PDCA model to create an ISMS. ISO applies this model to many of its management standards and ISO 27001 is no exception. In addition, following the PDCA model in organizing the management process allows you to use the same techniques in the future - for quality management, environmental management, safety management, as well as in other areas of management, which reduces costs. Therefore, PDCA is an excellent choice, fully meeting the tasks of creating and maintaining an ISMS. In other words, the PDCA stages define how to establish policies, objectives, processes and procedures appropriate to the risks being handled (Plan stage), implement and use (Do stage), evaluate and, where possible, measure the results of the process from the point policy perspective (check stage), take corrective and preventive actions (improvement stage - Act). Additional concepts that are not part of the ISO standards that can be useful in creating an ISMS are: state as it should be (to-be); state as is (as-is); transition plan.

The basis of ISO 27001 is an information risk management system.

Stages of creating an ISMS

As part of the work on the creation of an ISMS, the following main stages can be distinguished:

Figure 2 - PDCA model for information security management (animation: 6 frames, 6 repetitions, 246 kilobytes)

5. Information Risk Management

Risk management is considered at the administrative level of information security, since only the management of the organization is able to allocate the necessary resources, initiate and control the implementation of relevant programs.

The use of information systems is associated with a certain set of risks. When the potential damage is unacceptably large, it is necessary to take economically justified measures of protection. Periodic (re) assessment of risks is necessary to monitor the effectiveness of security activities and to take into account changes in the environment.

The essence of risk management activities is to assess their size, develop effective and cost-effective measures to mitigate risks, and then ensure that risks are contained within acceptable limits (and remain so).

The risk management process can be divided into the following stages:

1. The choice of the analyzed objects and the level of detail of their consideration.
2. Choice of risk assessment methodology.
3. Identification of assets.
4. Analysis of threats and their consequences, identification of vulnerabilities in protection.
5. Risk assessment.
6. Selection of protective measures.
7. Implementation and verification of the selected measures.
8. Residual risk assessment.

Risk management, like any other information security activity, needs to be integrated into life cycle IP. Then the effect is greatest, and the costs are minimal.

It is very important to choose a reasonable risk assessment methodology. The purpose of the assessment is to get an answer to two questions: are the existing risks acceptable, and if not, which protective equipment should be used. This means that the assessment should be quantitative, allowing comparison with pre-selected limits of admissibility and the costs of implementing new safety regulators. Risk management is a typical optimization problem, and there are quite a few software products that can help solve it (sometimes such products are simply included in books on information security). The fundamental difficulty, however, is the inaccuracy of the initial data. You can, of course, try to get a monetary expression for all the analyzed quantities, calculate everything to the nearest penny, but there is not much sense in this. It is more practical to use conventional units. In the simplest and perfectly acceptable case, you can use a three-point scale.

The main stages of risk management.

The first step in analyzing threats is identifying them. The types of threats under consideration should be selected based on common sense considerations (excluding, for example, earthquakes, but not forgetting about the possibility of the organization being seized by terrorists), but within the selected types, carry out the most detailed analysis.

It is advisable to identify not only the threats themselves, but also the sources of their occurrence - this will help in choosing additional means of protection.

After identifying the threat, it is necessary to assess the likelihood of its implementation. It is permissible to use a three-point scale (low (1), medium (2) and high (3) probability).

If any risks turned out to be unacceptably high, it is necessary to neutralize them by implementing additional protection measures. Typically, to eliminate or neutralize the vulnerability that made the threat real, there are several security mechanisms, differing in efficiency and cost.

As with any other activity, the implementation and testing of new safety regulators should be planned in advance. The plan must take into account the presence financial resources and the timing of staff training. If we are talking about a software and hardware protection mechanism, you need to draw up a test plan (autonomous and complex).

When the intended measures are taken, it is necessary to check their effectiveness, that is, to make sure that the residual risks have become acceptable. If this is actually the case, then you can safely schedule the date of the next revaluation. Otherwise, you will have to analyze the mistakes made and re-run the risk management session immediately.

conclusions

Each head of the enterprise cares about his business and therefore must understand that the decision to implement an information security management system (ISMS) is an important step that will minimize the risks of loss of assets of the enterprise / organization and reduce financial losses, and in some cases avoid bankruptcy.

Information security is important for businesses, both private and public sectors. It should be seen as a tool for assessing, analyzing and minimizing the associated risks.

The safety that can be achieved by technology is limited and should be maintained by appropriate controls and procedures.

Defining controls requires careful planning and attention.

To effectively protect information, the most appropriate security measures should be developed, which can be achieved by identifying the main risks of information in the system and implementing appropriate measures.

Biyachuev T.A. Security corporate networks/ ed. L.G. Osovetsky. - SPb.: Publishing house of SPb GU ITMO, 2006 .-- 161 p.

Shahalov Igor Yurievich

On the issue of integrating quality management systems and information security

Abstract: The international standards ISO 27001 and ISO 9001 are considered. The analysis of the similarities and differences between the quality management system and the information security management system is carried out. The possibility of integrating the quality management system and the information security management system is shown. The main stages of construction and implementation of an integrated information security management system are given. The advantages of the integrated approach are shown.

Key words: information security management systems, integrated management systems, ISMS, QMS, ISO 27001.

Natalia Olegovna

Introduction

V modern world with the advent of common and convenient technical devices the problem of information security has emerged quite sharply. Along with the release of quality products or the provision of services to enterprises and organizations, it is important to keep the necessary information secret from competitors in order to remain in a favorable position in the market. In the competitive struggle, various actions aimed at obtaining (obtaining, acquiring) confidential information are widespread. different ways, up to direct industrial espionage using modern technical means of intelligence.

Thus, organizations that adhere to the world's best practices, containing requirements, guidelines for the implementation of business process management systems, are becoming leaders in the market. The best standards for the design, implementation, monitoring and improvement of such systems are documents from the International Organization for Standardization (ISO). Particular attention should be paid to the standards of the ISO 900x and ISO 2700x series, which collect the best practices for the implementation of a quality management system (QMS) and an information security management system (ISMS).

The quality management system, implemented in accordance with the requirements of the ISO 9001 standard, has long been recognized as an integral attribute of a successful company that produces high-quality products or provides high-class services. Today, the availability of a certificate of conformity is both an effective marketing solution and a mechanism for controlling production processes. QMS audit is a well-developed area of ​​business.

The dependence of the company's successful activities on corporate system information protection. This is due to the increase in the volume of vital data processed in the corporate information system. Information systems are becoming more complex, and the number of vulnerabilities found in them is also growing. ISMS audit allows assessing the current state of security of the functioning of the corporate information system,

assess and predict risks, manage their impact on the company's business processes.

Since the ISO 9001 standard has long taken the leading position in the number of certificates in the world, and the ISO 27001 standard shows a tendency towards an increase in the certification of the information security management system, it is advisable to consider the possible interaction and integration of the QMS and the ISMS.

Integration of standards

At first glance, quality management and information security are completely different areas. However, in practice, they are closely related and form one whole (Figure 1). Customer satisfaction, which is an objective quality goal, every year more and more depends on the availability of information technology and on data security, for the maintenance of which the ISO 27001 standard is used. On the other hand, the ISO 9001 standard exactly matches the corporate goals of the organization, helping to ensure security. Thanks to an integrated approach, ISO 27001 can be effectively integrated into existing QMS or implemented together with QMS.

(ISO 27001) and IT service management (ISO 20000) have a similar structure and process approach. This creates a synergy that pays off: in practice, an integrated management system for ongoing operations saves 20 to 30 percent of the total cost of system optimization, checks and revisions.

Information security and quality management standards aim at continual improvement in accordance with the Plan-Do-Check-Act (PDCA) model known as the Deming Cycle (see Figure 2). In addition, they are similar in structure, as shown in the correspondence table in Annex C of ISO 27001. Both standards define the process approach, scope, system and documentation requirements, and administrative responsibility. In both cases, the structure ends with an internal audit, management review and system improvement. In this, both systems interact. For example, ISO 9001 requires the management of nonconforming products. Likewise, the ISO 27001 standard has an incident management requirement for resolving failures.

Rice. 1. Spheres of interaction and similarity of the QMS and ISMS

Rice. 2. Deming cycle

More than 27,200 organizations of various industries in more than 100 countries of the world are certified for compliance with ISO 9001: 2008 for quality management. Depending on the market and legal requirements, many organizations are increasingly forced to deal with information security. In this regard, the integration of the control system offers real possibilities. A complex approach also interesting for companies that have not used any management process until now. ISO standards for quality (ISO 9001), environmental protection (ISO 14000), information security

The differences between the standards are useful in complementing each other, which decisively contributes to increased business success. For example, ISO 9001 requires the definition of corporate goals, customer focus and measurability, to what extent goals and objectives are met. These are three issues that are not at the center of ISO 27001's interests. In turn, this standard prioritizes risk management to maintain business continuity and offers detailed assistance in implementing an ISMS. Compared

with this, ISO 9001 is more of a theoretical standard.

ISO 27001 - a standard not only for IT

Many people think that the ISO 27001 standard is only for IT processes, but in reality this is not the case. The fundamental point for the implementation of the ISO 27001 SM & B standard is the definition of assets.

■ "lilltpHiimiir-J." IJilllF.lEL ^ OIU.IC.

r t ^ tsdkpinizh ts netvk ^ tnslshs tEp.tna.

»■ irreiiKinfundu« GcTMHiiociv

* KYADROMK:

■ JI! L "|" l "L> 4_l] Jil" HIIL, k

"D | KtttcCcU H" patitU.

"Jimii 14: ii | vju7JIIIM.

Rice. 3. Types of assets

An asset is understood as everything that is of value to the company (Figure 3). That is, an asset can be: human resources, infrastructure, tools, equipment, communications, services and any other assets, including services for the supply of purchased products. Based on the processes, the company determines which assets it has and which assets are involved in critical processes, and evaluates the value of the assets. And only after that the risk assessment is made for all valuable assets. Thus, the ISMS is intended not only for digital information that is processed in automated system... For example, some of the most critical processes involve

Preparation

event plans

2 Check H: i match

with the storage of hard copies of information, which is also covered by ISO 27001. An ISMS covers all the ways in which important information can be stored in your company, from how your emails protected, ending with where the personal files of employees are stored in the building.

Therefore, it is a huge misconception that since the standard is aimed at building an information security management system, then this can only apply to data stored in a computer. Even in our digital age, a lot of information is still reflected on paper, which must also be reliably protected.

ISO 9001 cannot meet the company's information security needs, since it is narrowly focused on product quality. Therefore, it is very important to implement ISO 27001 in the company. At first glance, it may seem to a specialist that both standards are very general and do not have specificity. However, this is not the case: the ISO 27001 standard describes almost every step of implementing and controlling the functioning of an ISMS (Figure 4).

The main stages of building an information security management system

The main stages of building an ISMS are illustrated in Figure 4. Let's consider them in more detail.

Stage 1. Preparation of action plans. At this stage, specialists collect organizational and administrative documents (ORD) and other working materials,

3 A type normal II ORD

4 Analysis ii risk assessments 11B

Implementation

5 RyazraOoghya and<>RaeryaOopv complex & 00 \ * ieiitii:

radiation plans ■ -> standards -> events -> CfftpJOTHW *

events Mon> PB ORD Poenpzhenie

Formation of 10 AiUtuin evaluation of the results of the INRsnEsS "IMB

Rice. 4. Stages of building an ISMS

relating to the construction and operation of information systems of the company, planned to use mechanisms and means of ensuring information security. In addition, action plans for the stages of work are drawn up, agreed upon and approved by the company's management.

Stage 2. Checking for compliance with ISO / IEC 27001: 2005. Interviewing and questioning managers and employees of departments. Analysis of the company's ISMS for compliance with the requirements of ISO / IEC 27001: 2005.

Stage 3. Analysis of regulatory and organizational and administrative documents based on the organizational structure of the company. Based on its results, the protected scope (OA) is determined and a sketch of the company's information security policy is developed.

Stage 4. Analysis and assessment of information security risks. Development of a methodology for managing company risks and analyzing them. Analysis of information resources of the company, primarily LAN, in order to identify threats and vulnerabilities of protected ML assets. Inventory of assets. Conducting consultations for the company's specialists and assessing compliance with the actual and required level of security. Calculation of risks, determination of the current and acceptable level of risk for each specific asset. Risk ranking, selection of complexes of measures to reduce them and calculation of the theoretical efficiency of implementation.

Stage 5. Development and implementation of IS action plans. Development of a statement on the applicability of controls in accordance with ISO / IEC 27001: 2005. Development of a plan for accounting and elimination of risks. Preparation of reports for the head of the company.

Stage 6. Development of normative and operational documents. Development and approval of the final IB policy and related provisions (private policies). Development of standards, procedures and instructions to ensure the normal functioning and operation of the company's ISMS.

Stage 7. Implementation of comprehensive measures to reduce IS risks and assess their effectiveness in accordance with the plan for processing and eliminating risks approved by the management.

Stage 8. Personnel training. Development of action plans and implementation of programs for training and improving the competence of company employees in order to effectively convey information security principles to all employees and

primarily those who work in structural units providing key business processes.

Stage 9. Formation of reporting. Systematization of survey results and preparation of reports. Presentation of the results of work for the heads of the company. Preparation of documents for licensing for compliance with ISO / IEC 27001: 2005 and their transfer to the certifying organization.

Stage 10. Analysis and assessment of the results of the ISMS implementation based on the methodology that assesses the reliability of the company's ISMS functioning. Development of recommendations for improving the company's information security management system.

Analyzing each stage of ISMS implementation, we can say that ISO 27001 has a clear structure and requirements that will allow you to build a working system in which there will be interaction at all necessary levels. But we must not forget that the main difference between the ISMS and the QMS is that the first system is focused on information security.

The importance of information security in the modern world

Today's business cannot exist without information technology. It is known that about 70% of the world's total national product depends in one way or another on the information stored in information systems. The widespread introduction of computers has created not only well-known conveniences, but also problems, the most serious of which is the problem of information security.

Business leaders need to understand the importance of information security, learn to predict and manage trends in this area. In this they can be helped by the introduction of an ISMS, which in its structure has the potential for development, transparency of management, flexibility to any changes. Along with controls for computers and computer networks, the ISO 27001 standard pays great attention to the development of security policy, work with personnel (hiring, training, dismissal from work), ensuring continuity production process, regulatory requirements, while some technical issues are detailed in other standards of the series

ISO 27000. There are many advantages of introducing ISIB into the company, some of them are shown in Fig. 5.

Glbkshl Scale pODr> h; b1 [h-th

Decline ¡juvum

HiKiinimi n II11 \ 11 H "G 1111 111 pudnT

Prtrtshal wyrdoctle

"Ji | m | ill p. Ki u:

azhshchtnya # tsn ^ st

Rice. 5. Benefits of implementing an information security management system

The benefits of ISO should be pointed out

Demonstration of safety competence. ISO 27001 is a practical guide for an organization to help formulate security requirements to achieve the required level of security and meet specific security objectives. It is especially important for organizations to be competent in four areas of safety management, including: identifying and assessing company assets, assessing risks and defining criteria for accepting risks, managing and adopting these items, and continual improvement. general program security of the organization.

Ensuring customer confidence. ISO 27001 provides independent proof that programs corporate governance supported by the best, best, international practices. ISO 27001 certification provides peace of mind to corporations seeking to demonstrate integrity to customers, shareholders and potential partners, and most importantly, to show that the company has successfully implemented a robust information security management system. For many heavily regulated industries such as finance or Internet services, supplier selection can

be limited to those organizations that are already ISO 27001 certified.

More efficient use of resources. Thanks to the use of the process approach, it is possible to optimize the processes taking place in the company. Which entails a decrease in the use of resources, for example, time.

Continuous improvement. The ISMS uses the PCDA model, which allows you to regularly check the status of the entire system, analyze and improve the management system

1. Image, brand. Certification for compliance with ISO 27001 opens up wide opportunities for the company: access to the international level, new partnerships, more clients, new contracts, success in tenders. The presence of an ISMS in a company is an indicator of a high level of development.

2. Flexibility of the ISMS. Regardless of changes in processes, new technologies, the basis of the ISMS structure remains effective. The ISMS adapts quite easily to innovations by modernizing existing and introducing new countermeasures.

3. Scalability of the implementation of the standard. Since ISO 27001 requires scoping, only a subset of the processes can be certified. You can start implementing the ISMS in the most significant OA for the company, and only later expand.

4. Audit. Many Russian companies perceive audit work as a disaster. ISO 27001 shows an international approach to auditing: first of all, the company's interest in actually meeting the standards, and not doing the certification somehow, just "for show".

5. Regular internal or external audits allow correcting violations, improving the ISMS, and significantly reducing risks. First of all, the company needs it for its own peace of mind, that everything is in order and the risks of losses are minimized. And already secondary - a certificate of conformity, which confirms for partners or customers that this company can be trusted.

6. Transparency of management. The use of the ISO 27001 standard provides fairly clear instructions for creating management, and

also the requirements for the documentation that must be in the company. The problem for many companies is that the existing documents for certain departments are simply not readable, because it is often impossible to figure out what is intended for whom because of the complexity of the documentation system. The hierarchy of levels of documentation, from the information security policy to the description of certain procedures, makes the use of existing rules, regulations and other things much easier. Also, the introduction of SM & B involves staff training: holding seminars, mailings, hanging warning posters, which significantly increases awareness of information security among ordinary employees.

In conclusion, it should be noted that in modern business the integrality of the basic quality management system, built in accordance with the requirements of the ISO 9001 standard, and the gaining position of the information security management system is obvious.

Today, the market leader will be companies that monitor not only indicators of the quality of products and services, but also the levels of confidentiality, integrity and availability of information about them. Forecasting and risk assessment is also an important success factor, which requires a competent approach and the use of the best international practices. Joint implementation and certification of quality management and information security systems will help solve a wide range of problems for any industry or trade, which in turn will lead to a qualitative increase in the level of services provided.

Literature

1. Dorofeev A. V., Shahalov I. Yu. Fundamentals of information security management modern organization// Legal informatics. 2013. No. 3. S. 4-14.

2. Chashkin VN Information security management as an element of the management system of information technology activities of the organization // Security of information technologies. 2009. No. 1. S. 123-124.

3. Goryachev VV New GOST for QMS. Main differences from GOST RV 15.002-2003 //

Quality management methods. 2013. No. 7. S. 18-23.

4. Dotsenko SP, Pshenetskiy SP Approach to building a model of information security management systems // Polythematic network electronic scientific journal of the Kuban State Agrarian University. 2009. No. 53. S. 47-56.

5. Kamenev AV, Zavoritko EV Model of the information security management system at the enterprise (in the organization) // Intellect. Innovation. Investments. 2013. No. 1. S. 111-114.

6. Soloviev A. M. Normative and methodological base in the field of information security // Economics, statistics and informatics. Bulletin of UMO. 2012. No. 1. S. 174-181.

7. Kozin IF, Livshits II Information security. Integration of international standards into the information security system of Russia // Informatization and communication. 2010. No. 1. S. 50-55.

8. Kolodin VS Certification of integrated management systems // Bulletin of the Irkutsk State Technical University. 2010. T. 41. No. 1. S. 44-48.

9. Merkushova NI, Naumenko Yu. A., Merkushova Yu. A. Integrated management systems: prerequisites for creation at Russian enterprises // Young scientist.

2013. No. 12 (59). S. 327-331.

10. Voropaeva V. Ya., Shcherbov IL, Khaustova ED Information security management of information and telecommunication systems based on the "P1ap-Do-Check-Act" model // Naukov1 sling of the Donetsk National Technical University. Ser1ya: "Computational techshka that automatism". 2013. No. 2 (25). S. 104-110.

11. Dorofeev AV, Markov AS Information security management: basic concepts // Cybersecurity issues.

2014. No. 1 (2). S. 67-73.

12. Shper VL About the standard 18O / 1EC 27001 // Methods of quality management. 2008. No. 3. S. 60-61.

13. Markov A.S., Tsirlov V.L. Risk management - normative vacuum of information security // Open systems... DBMS. 2007. No. 8. S. 63-67.

14. Matveev V. A., Tsirlov V. L. State and development prospects of the information security industry of the Russian Federation

tion in 2014 // Cybersecurity Issues. 2013. No. 1 (1). S. 61-64.

15. Drums A. V. Standardization of the process of developing safe software tools// Cybersecurity issues. 2013. No. 1 (1). S. 37-41.

16. Markov A.S., Tsirlov V.L. Guidelines for cybersecurity in the context

ISO 27032 // Cybersecurity issues. 2014. No. 1 (2). S. 28-35. 17. Khramtsovskaya N. What a manager needs to know about information security // Kadrovik. 2009. No. 4. S. 061-072.

Really embarrassing. We informed about the imminent release of the ISO 45001 standard, which should replace the current OHSAS 18001 occupational health and safety management standard, we said that we should wait for it at the end of 2016 ... Midnight is approaching, but Herman is still gone. Time to admit - ISO 45001 is on hold. True, for good reasons. The expert community has too many questions for him. […]