What is Information Security Management

An information security management system (ISMS) is a set of policies, procedures and processes for systematically managing an organization's sensitive and critical assets. The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach or violation of a regulatory obligation. 

 

An ISMS typically addresses all risks to critical assets (including: employees, processes, data and technology). It can be targeted towards a particular type of data, such as customer data (which is done in traditional risk management), or it can be implemented in a comprehensive way that becomes part of the company's culture (done in enterprise risk management). 

 

When developing ISMS there is a massive amount of data used to compile a comprehensive program. However there are three common frameworks that form the bases of the ISMS:

 

International Standards Organization Document 27001 – Information Security Management (ISO 27001).

 

National Institute of Standards and Technology – Special Publication 800-37 – Risk Management Framework

 

           Committee of Sponsoring Organizations – Enterprise Risk Management Framework