Search in ISMS Guides


Thursday, January 10, 2008

Protecting your information assets

In a world where information is both the currency and the key asset of many major organisations, effective information security is well-recognised as both a business and risk management priority.

What is less well understood – in particular in an environment characterised by constant change and an ever-expanding web of critical interdependencies – is how best to achieve information security.

According to SAI Global Information Security Management Systems Program Manager, Mr Brahman Thiyagalingham: “Within many leading corporates there is a fair understanding that the failure to maintain the confidentiality of information, the integrity of information and the availability of information may present an unacceptable risk.”

According to Mr Thiyagalingham, fast-moving technology, the emergence of relatively new information-based businesses and, until recently, a lack of widely accepted information security management guidelines, has led to something of an ad hoc approach to information security management.

One common approach taken by major corporates has been to have their information security needs addressed by external consultants, who also assist with the maintenance and assessment of the systems.

“Certainly there are merits to this approach in terms of creating and implementation of a management system,” said Mr Thiyagalingham. “Where a system can fall down, however is when the management system developer and implementer is also the person who carries out regular assessments (internal audits) to determine compliance with information security objectives. If we have learned anything from some of the more spectacular collapses and corporate scandals of recent years, it is that the integrity of governance arrangements must be beyond reproach to preserve the integrity of the whole. When information integrity is such a critical resource, the same principles should apply. And, as is the case with corporate governance, meaningful assurance is best provided by independent, arm’s length assessors such as an independent accredited certification body.”

According to Mr Thiyagalingham, a number of recent developments would indicate that major corporations will soon be travelling the independent assurance route to information security.

One is the release of the most recent Standard for Information Security Management, AS/NZ 7799.2:2003, providing an internationally recognised framework for developing an effective Information Security Management System (ISMS).

“The latest release enhances the original 2000 Standard,” said Mr Thiyagalingham. “It has now been around long enough for business to be aware of it and get their heads around it. It’s an invaluable tool that can help navigate a notoriously difficult terrain. The fact that a resulting ISMS can be assessed by independent experts, and that the resulting certification is internationally recognised offers businesses major advantages that they are coming to appreciate.”

Another indicator of the growing emergence of – and demand for – certified information security management systems is its increased uptake by the telecommunications, banking, data management and public sectors.

“This will necessarily have a flow-on effect for suppliers, tenders and partnership relationships. The integrity of interdependent systems is only as sound as its weakest link: there’s no point safeguarding your own information if the next link, or the previous link, were not secure. Organisations are beginning to understand and come to grips with this fact, and to see the value of using certified ISMS' along the chain.”

Information Security Management Systems: the bare facts

The world of information security management is coming out of the too-hard basket and landing in the in-boxes of a wide range of business and other organisations.

This brief guide answers some of the more frequently asked questions about information security management systems, and outlines the steps involved in establishing an ISMS.

A more extensive fact sheet is also available from SAI Global.

Q: What types of organisations need an ISMS?

An ISMS is needed wherever inappropriate use, disposal or disclosure of organisational information may negatively impact on the privacy of customers or other stakeholders, diminish the standing of the organisation or its stakeholders, reveal critical competitor or trading partner information or cause liability under regulation or legislation.

As the availability, volume and interdependencies of information within and between different organisations expands, so does the risk of the above occurring. That’s why demand for a certified ISMS is no longer confined to information technology or records-keeping organisations: it can benefit any industry sector that is subject to risk.

Q: Which part of an organisations should take ownership of the ISMS?

The team managing and implementing an ISMS should be drawn from all levels of management identified as custodians of critical information. Although this will usually integrally involve members of the IT team, an ISMS is emphatically not the sole responsibility of IT.

Q: How do I define the scope of an ISMS?

This is a critical component of creating an effective ISMS. The first step when considering the implementation of an information security system is to define the ‘scope’ of the system. As a starting point, draw a circle around the assets you think should be included, then review what is out of scope.

The test as to scope is whether the organisations can continue operations and maintain an adequate level of security even without the entities out of scope. If this is not possible, it may be wise to rework the scope to include that entity.

The scope of an ISMS can be based around physical sites, functional units (such as IT, HR etc.) or by systems. Wherever a specific scope is drawn, the unit, site or system concerned must be able to demonstrate that they are complying with all the requirements of the broader ISMS.

For a visual explanation of this process refer to the diagram entitled, ‘Scoping your ISMS System’.

Q: How do I determine which clients and suppliers should also operate within the scope of an ISMS?

In the inextricably linked supply chain environment that defines so many business relationships, reliance and sharing of information assets is common place. Information Security Manages must then determine how these ‘partners’ fit in the ISMS equation. Essentially, the ‘scoping’ test is a matter of risk. If suppliers’ or clients’ activities come into the primary scope, the security of the information at hand is at unacceptable risk unless they too can demonstrate their compliance. The integrity of the information concerned is only as sound as the weakest link in the chain.

Q: What are the usual steps to implement an ISMS?

In the context of AS/NZS 7799.2:2003 an organisations should consider nine specific steps when implementing and ISMS. These include:

  • determining the scope of the system
  • identifying key information assets
  • conducting an asset risk assessment
  • developing a risk mitigation strategy
  • developing a Statement of Applicability
  • preparing a security policy, procedures and work instructions
  • implementing the policies and procedures and ensuring compliance
  • conducting continual maintenance and improvements on the system
  • seeking independent assessment by an ISMS accredited certification body

In operational terms these nine steps could be summarised into four documents:

  • Asset Register
  • Risk Assessment Documentation
  • Statement of Applicability
  • Security Policy

Refer to the flowchart entitled ‘ISMS: Steps to Implementation’ which outlines some of these key stages when developing and implementing an ISMS.

Want to know more?

SAI Global is Australia’s leading ISMS certification specialist. It has been accredited to deliver ISMS certification services by JAS-ANZ. To find out more about the SAI Global ISMS program, or for more detailed information about the steps involved in setting up an ISMS, including gap analysis and self evaluation, auditing, costs, copies of the particular standards involved and so forth email: or visit

No comments: