SIG-ISM (Information Security Management) Working Group 2 is focusing on creating a guidance on setting up and running ISMS (information security management systems) for NRENs.
This working group was set up in 2016 and is currently let by Robert Tofte (CISO, NORDUnet).
The mailing list of this working group is <email@example.com>
This is a closed confidential mailing list. If you would like to subscribe and join the working group, please contact Sigita Jurkynaite <firstname.lastname@example.org>
How to prepare the organisation for starting an implementation of ISMS.
This section will discuss what need to be in place before starting an implementation of a ISMS.
When looking at security management the ISO 27001 comes in view. This standard describes all the aspects of security management that need to be in place when an organization wants to be certified for information security management. Though this standard covers all aspects of security management and therefore provides a good guidance, it is not a comfortable standard for implementing quality management processes. You would prefer to integrate quality management closely into your working processen, both operational and managerial. The schematic below illustrates how this can be done in a way that is both complete in terms of the ISO standard and recognizable for day-to-day operations. The upper part of the schematic (blue blobs) specifies the company wide processes. in some organizations the responsibility for information security for products and services is distributed in the organization to products teams, departments or business line. That is illustrated in the lower part (light yellow blobs) of the schematic. If you use a centralised approach for information security you only have to look at the upper part of the schematic. The chapters of ISO27001 can be mapped on this schematics. (illustrated inn gteh second sheet of the set linked to below)
All items in this schematic are detailed out in separate pages. Details of the mapping on ISO 27001 can also be added on these pages.
- Information security Policy
- Risk Analysis
- Organization wide controls
- Annual Planning
- Operate: Implementation of controls
- Performance evaluation: audits and benchmarks