Information security management system procedures. What is a modern information security management system

In the world of information technology, the issue of ensuring the integrity, reliability and confidentiality of information becomes a priority. Therefore, recognizing the need for a management system in an organization information security(ISMS) is a strategic decision.

It was developed for the creation, implementation, maintenance and continuous improvement of an ISMS in an enterprise. Also, through the use of this Standard, the organization’s ability to meet its own information security requirements becomes apparent to external partners. This article will discuss the main requirements of the Standard and discuss its structure.

(ADV31)

Main objectives of the ISO 27001 Standard

Before moving on to describing the structure of the Standard, we will outline its main objectives and consider the history of the appearance of the Standard in Russia.

Objectives of the Standard:

establishment uniform requirements for all organizations to create, implement and improve an ISMS;
ensuring interaction between senior management and employees;
maintaining confidentiality, integrity and availability of information.

Moreover, the requirements established by the Standard are general and are intended to be applied by any organizations, regardless of their type, size or nature.

History of the Standard:

In 1995, the British Standards Institution (BSI) adopted the Information Security Management Code as a UK national standard and registered it as BS 7799 - Part 1.
In 1998, BSI published the BS7799-2 standard, consisting of two parts, one of which included a code of practice, and the other - requirements for information security management systems.
During subsequent revisions, the first part was published as BS 7799:1999, Part 1. In 1999, this version of the standard was transferred to the International Certification Organization.
This document was approved in 2000 as International Standard ISO/IEC 17799:2000 (BS 7799-1:2000). Latest version This standard, adopted in 2005, is ISO/IEC 17799:2005.
In September 2002, the second part of BS 7799, Information Security Management System Specification, came into force. The second part of BS 7799 was revised in 2002, and at the end of 2005 it was adopted by ISO as the International Standard ISO/IEC 27001:2005 " Information Technology— Security methods — Information security management systems — Requirements.”
In 2005, the ISO/IEC 17799 standard was included in the 27th series of standards and received a new number - ISO/IEC 27002:2005.
On September 25, 2013, the updated standard ISO/IEC 27001:2013 “Information Security Management Systems. Requirements". Currently, certification of organizations is carried out according to this version of the Standard.

Structure of the Standard

One of the advantages of this Standard is the similarity of its structure with ISO 9001, as it contains identical subsection headings, identical text, common terms and basic definitions. This circumstance allows you to save time and money, since some of the documentation has already been developed during ISO 9001 certification.

If we talk about the structure of the Standard, it is a list of requirements for an ISMS that are mandatory for certification and consists of the following sections:

Main sections	Appendix A
0. Introduction	A.5 Information security policies
1. Scope of application	A.6 Information security organization
2. Normative references	A.7 Safety human resources(staff)
3. Terms and definitions	A.8 Asset management
4. Organizational context	A.9 Access control
5. Leadership	A.10 Cryptography
6. Planning	A.11 Physical and environmental security
7. Support	A.12 Security of operations
8. Operations (Operation)	A.13 Communication security
9. Evaluation (Measurement) of performance	A.14 Acquisition, development and maintenance of information systems
10. Improvement (Improvement)	A.15 Relationships with suppliers
	A.16 Incident management
	A.17 Business continuity
	A.18 Compliance with legislation

The requirements of “Appendix A” are mandatory, but the standard allows you to exclude areas that cannot be applied at the enterprise.

When implementing the Standard at an enterprise for further certification, it is worth remembering that exceptions to the requirements established in sections 4 - 10 are not allowed. These sections will be discussed further.

Let's start with Section 4 - Organizational Context

Organization Context

In this section, the Standard requires the organization to identify external and internal issues that are significant to its objectives and that affect the ability of its ISMS to achieve its intended results. This should take into account legal and regulatory requirements and contractual obligations regarding information security. The organization must also define and document the boundaries and applicability of the ISMS to establish its scope.

Leadership

Top management should demonstrate leadership and commitment to the information security management system by, for example, ensuring that information policy security and information security objectives are established and consistent with the organization's strategy. Also senior management must ensure the provision of all necessary resources for the ISMS. In other words, it should be obvious to employees that management is involved in information security issues.

The information security policy must be documented and communicated to employees. This document is similar to the ISO 9001 quality policy. It must also be consistent with the purpose of the organization and include information security objectives. It will be good if these are real goals, such as maintaining confidentiality and integrity of information.

Management is also expected to distribute functions and responsibilities related to information security among employees.

Planning

In this section we come to the first stage managerial principle PDCA (Plan - Do - Check - Act) - plan, execute, check, act.

When planning an information security management system, the organization should take into account the issues mentioned in Clause 4, and identify the risks and potential opportunities that need to be taken into account to ensure that the ISMS can achieve its intended results, prevent undesirable effects and achieve continuous improvement.

When planning how to achieve its information security objectives, the organization must determine:

what will be done;
what resources will be required;
who will be responsible;
when the goals will be achieved;
how the results will be assessed.

In addition, the organization must maintain information security objectives as documented information.

Security

The organization must identify and provide the resources necessary to develop, implement, maintain and continuously improve the ISMS, this includes both personnel and documentation. In terms of personnel, the organization is expected to select qualified and competent employees in the field of information security. The qualifications of employees must be confirmed by certificates, diplomas, etc. It is possible to engage third-party specialists under a contract, or to train your own employees. As for documentation, it should include:

documented information required by the Standard;
documented information determined by the organization to be necessary to ensure the effectiveness of the information security management system.

Documented information required by the ISMS and the Standard must be controlled to ensure that it:

accessible and suitable for use where and when it is needed, and
is adequately protected (for example, against loss of confidentiality, misuse, or loss of integrity).

Operation

This section addresses the second stage of the PDCA management principle - the need for the organization to manage processes to ensure compliance, and carry out the actions identified in the Planning section. It also states that the organization should perform information security risk assessments at planned intervals or when proposed or occurred significant changes. The organization shall retain the results of the information security risk assessment as documented information.

Performance evaluation

The third stage is verification. The organization shall evaluate the operation and effectiveness of the ISMS. For example, it should conduct an internal audit to obtain information about

Is the information security management system compliant?
- the organization’s own requirements for its information security management system;
- requirements of the Standard;
that the information security management system is effectively implemented and functioning.

Of course, the scope and timing of audits should be planned in advance. All results must be documented and retained.

Improvement

The essence of this section is to determine the course of action when a nonconformity is identified. The organization needs to correct the discrepancy, the consequences and conduct an analysis of the situation so that this does not happen in the future. All nonconformities and corrective actions must be documented.

This concludes the main sections of the Standard. Appendix A provides more specific requirements that an organization must meet. For example, in terms of access control, use mobile devices and storage media.

Benefits of ISO 27001 implementation and certification

increasing the status of the organization and, accordingly, the trust of partners;
increasing the stability of the organization’s functioning;
increasing the level of protection against information security threats;
ensuring the necessary level of confidentiality of information of interested parties;
expanding the organization's participation in large contracts.

Economic advantages are:

independent confirmation by the certification body of the presence in the organization high level information security, supervised by competent personnel;
proof of compliance current laws and regulations (implementation of the system of mandatory requirements);
demonstration of a certain high level of management systems to ensure the proper level of service to clients and partners of the organization;
Demonstration of conducting regular audits of management systems, performance assessments and continuous improvements.

Certification

An organization may be certified by accredited agencies to this standard. The certification process consists of three stages:

Stage 1 - examination by the auditor of key ISMS documents for compliance with the requirements of the Standard - can be performed both on the territory of the organization and by transferring these documents to an external auditor;
Stage 2 - detailed audit, including testing of implemented measures and assessment of their effectiveness. Includes a full study of the documents required by the standard;
Stage 3 - performing a surveillance audit to confirm that the certified organization meets the stated requirements. Performed on a periodic basis.

Bottom line

As you can see, the use of this standard at an enterprise will allow one to qualitatively increase the level of information security, which in conditions modern realities worth a lot. The standard contains many requirements, but the most important requirement is to do what is written! Without real application of the requirements of the standard, it turns into an empty set of pieces of paper.

Valid Editorial from 27.12.2006

Name of document	"INFORMATION TECHNOLOGY. METHODS AND MEANS OF SECURITY. INFORMATION SECURITY MANAGEMENT SYSTEMS. REQUIREMENTS. GOST R ISO/IEC 27001-2006" (approved by Order of Rostekhregulirovaniya dated December 27, 2006 N 375-st)
Document type	order, standard, gost, iso
Receiving authority	Rostekhregulirovanie
Document number	ISO/IEC 27001-2006
Acceptance date	01.01.1970
Revision date	27.12.2006
Date of registration with the Ministry of Justice	01.01.1970
Status	valid
Publication	At the time of inclusion in the database, the document was not published
Navigator	Notes

"INFORMATION TECHNOLOGY. METHODS AND MEANS OF SECURITY. INFORMATION SECURITY MANAGEMENT SYSTEMS. REQUIREMENTS. GOST R ISO/IEC 27001-2006" (approved by Order of Rostekhregulirovaniya dated December 27, 2006 N 375-st)

8. Improvement of the information security management system

8.1. Continuous improvement

The organization shall continually improve the effectiveness of the ISMS through clarification of the IS policy, IS objectives, use of audit results, review of controllable events, corrective and preventive actions, and management's use of ISMS review results (see Clause 7).

8.2. Corrective Actions

The organization must take measures to eliminate the causes of non-compliance with ISMS requirements in order to prevent their reoccurrence. The documented corrective action procedure shall establish requirements for:

a) identifying nonconformities;

b) determining the causes of nonconformities;

C) assessing the need for action to avoid recurrence of nonconformities;

d) identifying and implementing necessary corrective actions;

e) maintaining records of the results of actions taken (see 4.3.3);

f) review of the corrective action taken.

8.3. Preventive Actions

The organization shall determine the actions necessary to eliminate the causes of potential nonconformities with ISMS requirements in order to prevent their recurrence. The preventative actions taken must be consistent with the consequences of potential problems. The documented procedure for taking preventive action shall establish requirements for:

a) identifying potential nonconformities and their causes;

b) assessing the need for action to prevent nonconformities from occurring;

c) identifying and implementing the necessary preventive action;

d) recording the results of the action taken (see 4.3.3);

e) analysis of the results of the action taken.

The organization shall identify changes in risk assessments and establish requirements for preventive actions, paying particular attention to significantly changed risk scores.

Priorities for implementation of preventive actions should be determined based on the results of the risk assessment.

NOTE Typically, the cost of taking action to prevent nonconformities is more economical than taking corrective action.

Really, it's awkward. We reported on the imminent release of the ISO 45001 standard, which should replace the current occupational safety management standard OHSAS 18001, and said that we should expect it at the end of 2016... It’s already midnight, and still no sign of Herman. It's time to admit that ISO 45001 is delayed. True, according to good reasons. U expert community There were too many questions for him. […]

A dual article is in the offing. The International Organization for Standardization has made its position clear on the use of its standards' markings on products - ISO says "no". However, entrepreneurs still want to do this. How should they be? Why not, exactly? The background to the question is as follows. As you understand, ISO standards are not directly related to products manufactured by enterprises certified to them. […]

Let's finish the topic. In the last article, we started a conversation about the eight principles of a QMS. The principles on which any quality management system is built. Our goal is to translate these principles from the language of business coaches into human language. So that real benefits can be derived from them. We talked about customer orientation. They talked about how to produce not “something [...]

Many people talk about quality management. But for some reason they say it in such a way that ultimately nothing is clear. This means that quality management remains words. Too clever words. Let's translate them into normal language and understand how the principles of quality management really help improve the company's activities. Let's do without long preludes. In total, currently relevant quality management systems, the most popular of which [...]

Project management... I'm sure there are many people who have spent too long communicating with all sorts of business consultants - and now just hearing such a phrase makes them feel slightly nauseous. What to do? Let's just put business consultants out of our heads and put the matter in human language. Project management is not necessarily a person in a white shirt who draws complex diagrams and flowcharts with a marker […]

The BS ISO/IEC 27001:2005 standard describes an information security management system (ISMS) model and proposes a set of requirements for organizing information security in an enterprise without reference to the implementation methods chosen by the organization's performers.

The standard proposes the application of the PDCA (Plan-Do-Check-Act) model to the ISMS life cycle, which includes development, implementation, operation, control, analysis, support and improvement (Figure 1).

Plan - the phase of creating an ISMS, creating a list of assets, assessing risks and selecting measures;

Do (Action) - the stage of implementation and implementation of appropriate measures;

Check - phase of assessing the effectiveness and performance of the ISMS. Typically performed by internal auditors.

Act - Taking preventative and corrective actions.

The decision to create (and subsequently certify) an ISMS is made by the top management of the organization. This demonstrates management support and confirmation of the value of the ISMS to the business. The management of the organization initiates the creation of an ISMS planning group.

The group responsible for planning the ISMS should include:

· representatives of the organization's top management;

· representatives of business units covered by the ISMS;

· specialists of information security departments;

· third-party consultants (if necessary).

The IS Committee provides support for the operation of the ISMS and its continuous improvement.

Working group should be guided by the regulatory and methodological framework, both in relation to the creation of an ISMS and related to the organization’s field of activity, and, of course, the general system of state laws.

Regulatory framework for creating an ISMS:

· ISO/IEC 27000:2009 Vocabulary and definitions.

ISO/IEC 27001:2005 General requirements to ISMS.

ISO/IEC 27002:2005 Practical guide on information security management.

· ISO/IEC 27003:2010 Practical guidance for the implementation of an ISMS.

· ISO/IEC 27004:2009 Metrics (Measurements) of information security.

· ISO/IEC 27005:2011 Guide to information security risk management.

· ISO/IEC Guide 73:2002, Risk management - Vocabulary - Guidelines for use in standards.

· ISO/IEC 13335-1:2004, Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management.

· ISO/IEC TR 18044 Information technology - Security techniques - Information security incident management.

· ISO/IEC 19011:2002 Guidelines for quality and / or environmental management systems auditing.

· British Standards Institute series of methods for creating an ISMS (previously: PD 3000 series documents).

The process of creating an ISMS consists of 4 stages:

Stage 1. ISMS planning.

Establishing policies, objectives, processes and procedures related to risk management and information security in accordance with general policy and goals of the organization.

a) Defining the scope and boundaries of the ISMS:

· Description of the type of activity and business goals of the organization;

· Indication of the boundaries of the systems covered by the ISMS;

· Description of the organization's assets (types of information resources, software, technical means, staff and organizational structure);

· Description of business processes that use protected information.

Description of system boundaries includes:

Description of the existing structure of the organization (with possible changes that may arise in connection with the development information system).

Information system resources to be protected ( computer technology, information, system and application software). To evaluate them, a system of criteria and a methodology for obtaining estimates according to these criteria (categorization) must be selected.

Information processing technology and problems to be solved. For the tasks to be solved, information processing models must be built in terms of resources.

Diagram of the organization's information system and supporting infrastructure.

As a rule, at this stage, a document is drawn up that fixes the boundaries of the information system, lists information resources companies subject to protection provide a system of criteria and methods for assessing the value of the company’s information assets.

b) Defining the organization's ISMS policy (extended version of the SDS).

· Goals, directions and principles of activity regarding information security;

· Description of the risk management strategy (approaches) in the organization, structuring countermeasures to protect information by type (legal, organizational, hardware and software, engineering);

· Description of risk significance criteria;

· Position of management, determination of the frequency of meetings on information security topics at the management level, including periodic review of the provisions of the information security policy, as well as the procedure for training all categories of users of the information system on information security issues.

c) Determine the approach to risk assessment in the organization.

The risk assessment methodology is selected depending on the ISMS, established business requirements for information security, legal and regulatory requirements.

The choice of risk assessment methodology depends on the level of requirements for the information security regime in the organization, the nature of the threats taken into account (the spectrum of the impact of threats) and the effectiveness of potential countermeasures to protect information. In particular, there are basic, as well as increased or complete requirements for the information security regime.

The minimum requirements for the information security mode correspond to the basic level of information security. Such requirements apply, as a rule, to standard design solutions. There are a number of standards and specifications that consider a minimum (typical) set of the most likely threats, such as: viruses, hardware failures, unauthorized access, etc. To neutralize these threats, countermeasures must be taken, regardless of the likelihood of their implementation and vulnerability resources. Thus, it is not necessary to consider the characteristics of threats at a basic level. Foreign standards in this area are ISO 27002, BSI, NIST, etc.

In cases where violations of the information security regime lead to serious consequences, additional increased requirements are imposed.

To formulate additional increased requirements, it is necessary:

Determine the value of resources;

Add to the standard set a list of threats relevant to the information system under study;

Assess the likelihood of threats;

Identify resource vulnerabilities;

Assess the potential damage from the influence of intruders.

It is necessary to select a risk assessment methodology that can be used with minimal changes on an ongoing basis. There are two ways: use existing methods and tools on the market for risk assessment or create your own methodology, adapted to the specifics of the company and the area of activity covered by the ISMS.

The last option is the most preferable, since so far the majority of products existing on the market that implement one or another risk analysis technique do not meet the requirements of the Standard. Typical disadvantages of such methods are:

· standard set threats and vulnerabilities, which are often impossible to change;

· accepting only software, hardware and information resources as assets - without considering human resources, services and other important resources;

· the overall complexity of the technique in terms of its sustainable and repeated use.

· Criteria for accepting risks and acceptable levels of risk (must be based on achieving the strategic, organizational and management goals of the organization).

d) Risk identification.

· Identification of assets and their owners

Information inputs;

Information output;

Information records;

Resources: people, infrastructure, equipment, software, tools, services.

· Threat identification (risk assessment standards often propose classes of threats that can be supplemented and expanded).

· Vulnerability identification (there are also lists of the most common vulnerabilities that you can rely on when analyzing your organization).

· Determination of the value of assets (possible consequences of loss of confidentiality, integrity and availability of assets). Information about the value of an asset can be obtained from its owner or from a person to whom the owner has delegated all authority over the asset, including ensuring its security.

e) Risk assessment.

· Assessing the damage that can be caused to a business from loss of confidentiality, integrity and availability of assets.

· Assessing the likelihood of threats being realized through existing vulnerabilities, taking into account existing information security controls and assessing the possible damage caused;

· Determining the level of risk.

Application of risk acceptance criteria (acceptable/requiring treatment).

f) Risk treatment (in accordance with the selected risk management strategy).

Possible actions:

Passive actions:

Risk acceptance (decision on the acceptability of the resulting level of risk);

Risk avoidance (decision to change activities that cause a given level of risk - moving the web server outside the boundaries local network);

Active actions:

Risk reduction (using organizational and technical countermeasures);

Risk transfer (insurance (fire, theft, software errors)).

The choice of possible actions depends on the accepted risk criteria (an acceptable level of risk is specified, risk levels that can be reduced by information security controls, risk levels at which it is recommended to abandon or transform the type of activity that causes it, and risks that it is desirable to transfer to other parties) .

g) Selecting objectives and controls for risk treatment.

Goals and controls must implement the risk management strategy, take into account the criteria for accepting risks and legislative, regulatory and other requirements.

The ISO 27001-2005 standard provides a list of objectives and controls as a basis for building a risk treatment plan (ISMS requirements).

The risk treatment plan contains a list of priority measures to reduce risk levels, indicating:

· persons responsible for the implementation of these activities and means;

· timing of implementation of activities and priorities for their implementation;

· resources for the implementation of such activities;

· levels of residual risks after implementation of measures and controls.

The adoption of the risk treatment plan and control over its implementation is carried out by the top management of the organization. Completion of the key activities of the plan is a criterion for making a decision on putting the ISMS into operation.

At this stage, the selection of various countermeasures for information security is justified, structured according to the regulatory, organizational, managerial, technological and hardware-software levels of information security. (Next, a set of countermeasures is implemented in accordance with the selected management strategy information risks). In the full version of risk analysis, the effectiveness of countermeasures is additionally assessed for each risk.

h) Management approval of the proposed residual risk.

i) Obtaining management approval for the implementation and commissioning of the ISMS.

j) Statement of applicability (in accordance with ISO 27001-2005).

The date the ISMS is put into operation is the date of approval by the top management of the company of the Regulation on the applicability of controls, which describes the goals and means chosen by the organization to manage risks:

· management and control tools selected at the risk treatment stage;

· management and control tools already existing in the organization;

· means to ensure compliance with legal requirements and requirements of regulatory organizations;

· means to ensure the fulfillment of customer requirements;

· means to ensure compliance with general corporate requirements;

· any other appropriate controls and controls.

Stage 2. Implementation and operation of ISMS.

To implement and operate information security policy, controls, processes and procedures in the field of information security, the following actions are performed:

a) Development of a risk treatment plan (description of planned controls, resources (software, hardware, personnel) required for their implementation, support, control, and management responsibilities for information security risk management (development of documents at the planning stage, support of information security goals, definition roles and responsibilities, provision of necessary resources to create an ISMS, audit and analysis).

b) Allocation of funding, roles and responsibilities for implementation of the risk treatment plan.

c) Implementation of planned controls.

d) Determination of performance benchmarks (metrics) for controls and methods for measuring them that will provide comparable and reproducible results.

e) Improving the qualifications and awareness of personnel in the field of information security in accordance with their job responsibilities.

f) Management of ISMS operation, management of resources to maintain, control and improve the ISMS.

g) Implementation of procedures and other controls to quickly detect and respond to information security incidents.

Stage 3. Constant monitoring and analysis of the functioning of the ISMS.

The stage involves assessing or measuring key process performance indicators, analyzing the results and providing reports to management for analysis and includes:

a) Conducting continuous monitoring and analysis (allows you to quickly detect errors in the functioning of the ISMS, quickly identify and respond to security incidents, differentiate the roles of personnel and automated systems in the ISMS, prevent security incidents by analyzing unusual behavior, determine the effectiveness of processing security incidents).

b) Conducting regular reviews of the effectiveness of the ISMS (compliance with ISMS policies and objectives, audits, key indicators effectiveness, suggestions and stakeholder reactions).

c) Measuring the effectiveness of controls to verify that protection requirements are met

d) Periodic reassessment of risks, analysis of residual risks and determination of acceptable risk levels for any changes in the organization (business goals and processes, identified threats, newly identified vulnerabilities, etc.)

e) Periodic internal audits ISMB.

ISMS audit – checking the compliance of the selected countermeasures with the goals and objectives of the business declared in the organization’s industrial safety policy; based on its results, residual risks are assessed and, if necessary, their optimization is carried out.

f) Regular review of ISMS scope and trends by management.

g) Updating risk management plans to reflect the results of controls and analysis.

h) Maintaining logs of events that had a negative impact on the effectiveness or quality of the ISMS.

Stage 4. Support and improvement of ISMS.

Based on the results of the ISMS internal audit and management analysis, corrective and preventive actions are developed and implemented aimed at continuous improvement ISMS:

a) Improving information security policy, information protection goals, conducting audits, analyzing observed events.

b) Development and implementation of corrective and preventive actions to eliminate ISMS non-compliance with requirements.

c) Monitoring ISMS improvements.

Submitting your good work to the knowledge base is easy. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

"Information Security Management System"

management international standard

INconducting

An information security management system is a set of processes that operate within a company to ensure the confidentiality, integrity and availability of information assets. The first part of the abstract discusses the process of implementing a management system in an organization, and also presents the main aspects of the benefits from the implementation of an information security management system.

Fig.1. Control cycle

A list of processes and recommendations on how to best organize their functioning are given in the international standard ISO 27001:2005, which is based on the Plan-Do-Check-Act management cycle. According to him life cycle ISMS consists of four types of activities: Creation - Implementation and operation - Monitoring and analysis - Maintenance and improvement (Fig. 1). This standard will be discussed in more detail in part two.

WITHsystemmanagementinformationalsecurity

An information security management system (ISMS) is that part of the overall management system that is based on a business risk approach to the creation, implementation, operation, monitoring, analysis, support and improvement of information security. ISMS processes are created in accordance with the requirements of the ISO/IEC 27001:2005 standard, which is based on the cycle

The operation of the system is based on the approaches modern theory management risks, which ensures its integration into the overall risk management system of the organization.

The implementation of an information security management system implies the development and implementation of a procedure aimed at systematically identifying, analyzing and mitigating information security risks, that is, risks as a result of which information assets (information in any form and of any nature) will lose confidentiality, integrity and availability.

To ensure systematic mitigation of information security risks, based on the results of the risk assessment, the following processes are being implemented in the organization:

· Management internal organization information security.

· Ensuring information security when interacting with third parties.

· Management of the register of information assets and rules for their classification.

· Equipment safety management.

· Ensuring physical security.

· Ensuring information security of personnel.

· Planning and adoption of information systems.

· Backup.

· Ensuring network security.

Information security management system processes affect all aspects of managing an organization's IT infrastructure, since information security is the result of the sustainable functioning of processes related to information technology.

When building an ISMS in companies, specialists carry out the following work:

· organize project management, form a project team on the part of the customer and the contractor;

· determine the area of activity (OA) of the ISMS;

· examine the organization in OD ISMS:

o in terms of the organization’s business processes, including analysis of the negative consequences of information security incidents;

o in terms of the organization’s management processes, including existing quality management and information security management processes;

o regarding IT infrastructure;

o regarding information security infrastructure.

· develop and approve an analytical report containing a list of main business processes and an assessment of the consequences of the implementation of information security threats in relation to them, a list of management processes, IT systems, information security subsystems (IS), an assessment of the degree to which the organization fulfills all ISO 27001 requirements and an assessment of the maturity of processes organizations;

· select the initial and target level of ISMS maturity, develop and approve the ISMS Maturity Improvement Program; develop high-level documentation in the field of information security:

o The concept of information security support,

o IS and ISMS policies;

· select and adapt the risk assessment methodology applicable in the organization;

· select, supply and deploy software used to automate ISMS processes, organize training for company specialists;

· conduct an assessment and processing of risks, during which, to reduce them, measures of Appendix “A” of standard 27001 are selected and requirements for their implementation in the organization are formulated, technical means of ensuring information security are preliminarily selected;

· develop preliminary designs of PIB, assess the cost of risk treatment;

· organize approval of the risk assessment by the top management of the organization and develop Regulations on applicability; develop organizational measures to ensure information security;

· develop and implement technical projects on the implementation of technical information security subsystems that support the implementation of selected measures, including the supply of equipment, commissioning, development of operational documentation and user training;

· provide consultations during the operation of the constructed ISMS;

organize training internal auditors and conducting internal ISMS audits.

The result of this work is a functioning ISMS. The benefits from the implementation of ISMS in the company are achieved through:

· effective management compliance with legal requirements and business requirements in the field of information security;

· preventing the occurrence of information security incidents and reducing damage if they occur;

· improving the information security culture in the organization;

· increasing maturity in the field of information security management;

· optimization of spending funds on information security.

ISO/IEC27001-- internationalstandardByinformationalsecurity

This standard was developed jointly International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard contains requirements in the field of information security for the creation, development and maintenance of an ISMS. ISO 27001 specifies requirements for an ISMS to demonstrate an organization's ability to protect its information assets. The international standard uses the concept of “information security” and interprets it as ensuring the confidentiality, integrity and availability of information. The basis of the standard is a system for managing risks associated with information. This standard can also be used to assess compliance by internal and external stakeholders.

To create, implement, operate, continuously monitor, analyze, maintain and improve the information security management system (ISMS), the standard adopts a process approach. It consists of the application of a system of processes within an organization, together with the identification and interaction of these processes, as well as their management.

The international standard adopts the Plan-Do-Check-Act (PDCA) model, also called the Shewhart-Deming cycle. This cycle is used to structure all ISMS processes. Figure 2 shows how the ISMS takes information security requirements and stakeholder expectations as input and, through the necessary actions and processes, produces information security results that meet those requirements and expectations.

Planning is the phase of creating an ISMS, creating an inventory of assets, assessing risks and selecting measures.

Figure 2. PDCA model applied to ISMS processes

Implementation is the stage of implementation and implementation of appropriate measures.

Verification is the phase of assessing the effectiveness and performance of the ISMS. Typically performed by internal auditors.

Action - taking preventive and corrective actions.

INconclusions

ISO 27001 describes a general model for the implementation and operation of an ISMS, as well as activities for monitoring and improving the ISMS. ISO intends to harmonize various management system standards, such as ISO/IEC 9001:2000, which deals with quality management, and ISO/IEC 14001:2004, which deals with environmental management systems. The purpose of ISO is to ensure consistency and integration of the ISMS with other management systems in the company. The similarity of standards allows the use of similar tools and functionality for implementation, management, revision, verification and certification. The implication is that if a company has implemented other management standards, it can use unified system audit and management, which is applicable to quality management, environmental management, safety management, etc. By implementing an ISMS, senior management has the means to monitor and manage security, which reduces residual business risks. Once an ISMS is implemented, the company can formally ensure information security and continue to meet the requirements of customers, legislation, regulators and shareholders.

It is worth noting that in the legislation of the Russian Federation there is a document GOST R ISO/IEC 27001-2006, which is a translated version of the international standard ISO27001.

WITHsqueakliterature

1. Korneev I.R., Belyaev A.V. Enterprise information security. - St. Petersburg: BHV-Petersburg, 2003. - 752 p.: ill.

2. International standard ISO 27001 (http://www.specon.ru/files/ISO27001.pdf) (access date: 05.23.12)

3.National standard Russian Federation GOST R ISO/IEC 27003 - "Information technologies. Security methods. Guidelines for the implementation of an Information Security Management System" (http://niisokb.ru/news/documents/IDT%20ISO%20IEC%2027003-2011-09-14. pdf) (date of access: 05/23/12)

4. Skiba V.Yu., Kurbatov V.A. Guide to protecting against insider threats to information security. St. Petersburg: Peter, 2008. -- 320 pp.: ill.

5. Article of the free encyclopedia "Wikipedia", "Management system

information security" (http://ru.wikipedia.org/wiki/%D0%A1%D0%9C%D0%98%D0%91) (access date: 05/23/12)

6. Sigurjon Thor Arnason and Keith D. Willett "How to Achieve 27001 Certification"

Posted on Allbest.ru