An information security management system (ISMS) is a formal, controlled set of processes and procedures
dealing with the management of information security within an organization. The implementation of an ISMS
is a key step that any organization in possession of valuable information assets should consider. This article
offersan overview of the implementation process, and explains the benefits of an ISMS.
1Why implement an ISMS?
An ISMS offers a number of significant benefits to both the organization and its customers.
a. It ensures suitable security controls are in place: The intensive risk assessment and other processes
involved in implementing the ISMS help to verify that any security controls and strategiesare
appropriate, cost effective, and prioritized to address the core security needs of the organization.
b. It demonstrates a commitment to security best practice: The existence of an ISMS is a powerful
demonstration to an organization's customers of its commitment to information security. Customers
can be confident that an ISMS-compliant organization understands and implements industry bestpractice. Certification of the ISMS provides independent and unbiased evidence of this compliance.
c. It ensures compliance with third party obligations: Many organizations will have external
responsibilities with regard to the data in their possession. These may concern privacy, intellectual
data ownership, or, in an increasingly regulatory environment, legal issues. An ISMS can greatly
assistan organization in the fulfillment of such requirements.
2 Planning your ISMS
The thoroughness of the planning phase is vital to the ultimate effectiveness of the ISMS itself. A realistic and
detailed plan should be prepared and agreed to, against which performance should be measured at every step
of the implementation. This will ensure the process remains on track and that the ISMS ultimatelyaddresses
the required issues. The plan should also be open to review and reassessment in the light of experience. This
will help ensure it retains the flexibility needed to meet the continuously changing requirements of most
It is essential to ensure management involvement and commitment at, or preferably before, the planning
phase. This will be critical for later success, asdecision makers will be implicated not only in financing the
ISMS but will play a key ongoing role in its implementation. The involvement of management from an early
stage will help to ensure that adequate resources are made available for the development of the ISMS.
It will also help to involve all related departments in the ISMS process. It is a common misconception that
informationsecurity is the sole preserve of the IT department, whereas in fact it usually has implications
throughout an organization. For example, HR departments will often have a critical role in spreading
awareness of the ISMS, while those responsible for the physical security of the building will be involved with
issues such as physical access control and the relocation of assets. At a more fundamentallevel, every
individual who uses the IT infrastructure will be affected in some way by the ISMS.
Knowledge may already exist within an organization that has relevance to ISMS implementation. For
example, there may be an existing quality management system (QMS). Where this is the case, relevant skills,
knowledge and experience should be leveraged to ease the implementation process and reduce itscost.
The final major aspect of the planning phase is getting to grips with the standards and processes involved.
This will involve the new system's owners familiarizing themselves with documentation such as the
International Organization for Standardization's ISO/IEC 27000 series, and the Information Security Forum's
Standard of Good Practice. If certification is the goal, consultation with a...