Learn

October 18, 2023

4 Minute Read

ISMS: Information Security Management Systems Explained

By Muhammad Raza

One of the best ways to mitigate security incident risk is to have a system. Devising and enforcing policies that you can address systematically is key. After all, it is inadequacies in technologies, people and processes that increase your risk. Examples of these inadequacies include:

Backdoors and viruses in the tech stack
The human element and its vulnerability to social engineering
A lack of governance for vetting new tools for security

To address these shortcomings, organizations can establish a systematic framework plus policies for information security. Together, this is called the Information Security Management System (ISMS).

What is ISMS?

Information Security Management Systems (ISMS) is the name for policies and procedures that enable organizations to systematically manage information security. You can define your ISMS policies using industry standard frameworks such as ISO-27001, which provides generic requirements and guidelines.

You can further adjust these guidelines using your organization’s specific InfoSec needs and expectations. Then, you can continually improve by following industry standards and best practices.

Phases in successful InfoSec Management Systems

Here are the key focus areas, or phases, for standardizing your InfoSec systems. Feel free to treat these phases as a sort of maturity model.

1. Context

The guideline adds a strategic context to the decision-making process of information security policies and investments. The first step is to identify the stakeholders — including internal and external users, partners and consumers — and the issues most relevant to their information security requirements.

The scope also highlights the importance of processes and activities: how interactions between users and systems affects the information security performance of the organization.

2. Leadership

Stakeholder commitment, especially among decision makers and top executives, is instrumental to an effective ISMS program. The objectives of the program should be aligned with:

Business goals
Customer expectations
Regulatory compliance requirements
Evolving cybersecurity landscape (future thinking)

The leadership should be onboarded for commitments including policy approvals, budget allocation, new roles and responsibility assignments, partnership agreements and communications with the concerned authorities.

(Learn about the CISO role: chief information security officer & get the latest CISO trends.)

3. Planning

The Planning phase narrows down pertinent issues and guides decision makers to the opportunities and challenges associated. Organizations plan to mitigate the risks as they integrate and implement new policies into their ISMS framework.

Evaluate the outcome of every process change and action against known benchmarks. These may include KPIs specified by the Service Level Agreements (SLAs) as well as a variety of business and security centric KPIs.
Identify and assign the roles of Risk Owners with defined responsibilities to appropriate experts within your organization.
Adopt a risk treatment process to ensure all necessary controls are in place. Streamline and automate these controls where applicable.

(See how SOAR helps with security automation.)

4. Support

The ISMS may require you to adopt additional resources, expertise, processes, documentation and tooling. ISO 27001 outlines a set of guidelines to optimize support across all of these domains — focus on the impact of individual choices on your InfoSec performance.

Baseline improvements are attributed to company-wide security education, training and awareness programs, as well as documentation that allows decision makers to track, monitor and improve all areas of the planning and support. The framework discusses in detail the guidelines on creating, updating and improving documentation necessary for information security planning, operations and external communications.

(Stay up to date with these InfoSec conferences & events, expert-recommended security reading & security podcasts.)

5. Operation

In the Operation phase, you’ll focus on the process of information security, how it is managed, controlled, documented, evaluated and improved using the available planning guidelines and support capabilities.

You’ll need to establish a criteria for processes and then implement the control actions based on this criteria. The controls are focused particularly on mitigating any unintended and adverse consequences of operational changes that may occur during the operation phase.

Assess this risk periodically. Document any risk treatment activity for future reference — including continual improvement of the ISMS plan.

6. Performance evaluation

ISO-270001 emphasizes continual improvement through monitoring and measurement. Your ISMS policies define a few items in support of this:

What needs to be measured
The individuals and teams in charge of monitoring
The evaluation and analysis itself

When evaluating your performance, you can also look at your historic and industry benchmarks. An internal audit program and management review can help you evaluate the results from different strategic viewpoints and functions.

7. Improvement

Performance evaluation outcomes are communicated to decision makers and ISMS program owners. Continual improvement plan is aligned with the framework guidelines by:

Keeping track of nonconformities.
Implementing corrective actions.
Evaluating performance of the changes
Documenting the changes.
Updating the ISMS policy guide for users.

At this phase, decision makers may specify and prioritize important metrics and KPIs governing information security performance evaluation.

InfoSec best practices

Another framework, the ISO/IEC 27002:2022 guideline provides detailed reference best practices in context of the ISO/IEC 27001:2022 framework. The ISO 27002 describes the control actions a generic implementation guideline in context of the ISO 27001 framework.

These guides are based on well-established industry best practices and can be adapted to meet organization-specific requirements for your own implementation.

See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.

This posting does not necessarily represent Splunk's position, strategies or opinion.

Muhammad Raza

Muhammad Raza is a technology writer who specializes in cybersecurity, software development and machine learning and AI.

Learn 8 Min Read

What is a Data Architect? Responsibilities, Skills & Salary Explored

Explore the role of data architects: designing data infrastructure, ensuring security, and optimizing data utilization for modern businesses.

Learn 4 Min Read

The OCSF: Open Cybersecurity Schema Framework

Sharing security data with other organizations? Yes, that’s precisely what the OCSF aims to do. Learn why it’s important and how the OCSF is doing it.

Learn 5 Min Read

Machine Data: An Introduction

This blog post will explore what machine data is, how it’s used, common examples of machine data, why it’s important and more.

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk