The ISMS contains the standards, management procedures and guidelines that support the Information Security Management policies. Using this in conjunction to an overall framework for managing security will help to ensure that the Four Ps of People, Process, Products, and Partners are considered as to the requirements for security and control.
As a guide, standards such as ISO 27001 provide a formal standard by which to compare or certify their own ISMS, covering the five main elements of:
Planning is used to identify and recommend the appropriate security measures that will support the requirements and objectives of the organization. SLAs and OLAs, business and organizational plans and strategies, regulation and compliance requirements (such as Privacy Acts) as well as the legal, moral and ethical responsibilities for information security will be considered in the development of these measures.
The objective of this element is to ensure that the appropriate measures, procedures, tools and controls are in place to support the Information Security Policy.
The objectives of the control element of the ISMS are to:
* Ensure the framework is developed to support Information Security Management
* Develop an organizational structure appropriate to support the Information Security Policy
* Allocate responsibilities
* Establish and control documentation.
The evaluate element of the ISMS is focused on ensuring
* Regular audits and reviews are performed
* Policy and process compliance is evaluated
* Information and audit reports are provided to management and external regulators if required.
As part of Continual Service Improvement, the maintain element seeks to:
* Improve security agreements as documented in SLAs and OLAs
* Improve the implementation and use of security measures and controls.