Information Security Management System is a management system related to the implementation of information security in an organization which includes the activities of designing, implementing, and maintaining an integrated series of processes and systems to effectively manage information security, especially the confidentiality, integrity, and availability of information assets while minimizing risk. that accompanies it.
ISMS development and preparation generally use standards or frameworks such as ISO27001, NIST, PCI DSS, etc. The problem is that the frameworks used in information security management systems are generally in the form of information in long, tedious, and often confusing PDF documents. To make the cybersecurity framework easier to understand, we have separated it into three categories, including control framework (control framework), program framework (program framework), and risk framework (risk framework).
Imagine as if a chef is about to cook a meal. Before starting to cook, the chef must first compile a list of ingredients, so we call this a control framework. After that, the chef must determine the recipe for compiling these ingredients to be cooked into food, which we call the program framework (program framework). Finally, the chef must know how to present the food in terms of what experience the customer wants when eating it, this we call the risk framework.
Information Security Management System Framework
Below are 3 categories of cybersecurity frameworks or information security frameworks that we can use as a guide in the process of developing an information security management system in your organization:
Frameworks within the scope of this category include NIST 800-53 and CIS Control (CSC). When an organization wants to implement an information security management system, the organization's condition is usually relatively immature from the perspective of IT governance and security. An easy step that is generally taken is to determine the basic set of controls to apply. Control framework to do the following:
Carry out the process of identifying the control set that will become the baseline.
Implement existing condition assessment activities related to technical capabilities.
Carry out the process of prioritizing the implementation of controls.
Then develop an initial roadmap for the IT Security Team.
NIST SP 800-53 is a very complete catalog of controls related to security and privacy controls, these controls can be implemented based on priority or baseline security controls (low impact, moderate impact, or high impact). On the other hand, CIS Control has published about 20 common and most widely used security controls. CIS control is applied in many government agencies in the United States.
Program Framework (Program Framework)
Frameworks or frameworks that fall into this category for example are ISO 27001 and NIST Cybersecurity Framework. Generally, framework programs are used for the following:
Assess the overall condition of the security program that exists within the organization
Establish and develop a comprehensive security program
Measurement of maturity levels and comparing them to similar industry standards
Simplify the communication process with business leaders
The ISO27001 standard is one of the ISO series for Information Security Management System standards that focuses on developing security programs, including organizational context, leadership, planning, support, documentation, operations, performance appraisal, and continuous improvement.
The NIST Cybersecurity Framework assists us in developing an information security management system through the stages of the process: identification, protection, detection, response, and recovery. It consists of 3 parts: core, implementation tiers, and profile — and defines a common language for dealing with risk. This helps organizations answer the question: what do we do now? where are you going? How to? and when?
This category includes frameworks: NIST 800-39, 800-37, 800-30, ISO 27005, and FAIR. The risk framework enables us to ensure that the information security program is managed in a way that is beneficial to the organization's stakeholders and helps in determining how to prioritize security activities. The risk framework is used to do the following:
Determine the key or important stages in assessing and managing risk
Realizing the structuring of risk management programs
Carry out the process of identifying, measuring, and quantifying risks
Prioritize security activities
NIST Security has a well-known risk framework, namely: NIST SP 800-39 (defines the overall risk management process), NIST SP 800-37 (the risk management framework for federal information systems), and NIST SP 800-30 (risk assessment progress ). Then ISO 27005 defines a systematic approach to managing risk for organizations, while FAIR is an international standard supported by two organizations that focus on information security.
How to Start an Information Security Management System?
Top Management with the support of the IT Team can take the following steps to start finding out the right security framework for their information security management system, among others in the following ways:
Immediate action: Immediately carry out the process of identifying a suitable cybersecurity framework for use in the organization.
The first three-month stage: Immediately implement the ISMS and evaluate in three months how the framework can provide strength in terms of IT security and performance then map each other to meet compliance and regulatory objectives.
Next six-month stage: Implement an updated security program plan to take advantage of each of the three framework categories, and disseminate the plan with technical, operational, and executive leaders.
In fact, in the process of finalizing an IT security program, we can select one or more frameworks from each category to be used together to improve the overall state of IT security activities within the organization.