7/27/2019 Information security management systems

1/2

Information Security Management it seems more complicated than it isBy Jacques A. Cazemier

IntroductionThere is a difference between the management effort to keep information security up tostandard and information security management. The first is aimed at keeping informationprocessing adequate secured, the latter uses ISO27001 and is aimed at auditors.

In this article the practice of management of information security is explained; both to thebusiness side of the organization and IT. It is shown that using existing processes andinformation, there is no need for extension of the organization for the information securitymanagement system.To make it easier to relate to practices and processes in IT, ITIL is used to provide context.This article is based on my book: Information Security Management with ITL V3 (ISBN 978-90-8753-552-0) and experiences thereafter.

Throughout my practice I have followed the line: 'not more security than necessary'. For twovery simple reasons: it is less expensive and it easier for the organization. More security thanneeded is counter productive: people in organizations invent shortcuts and cheat tocircumvent the rules. That creates a practice of trying to be smarter than the security people.The thinking that is implied in how much security is actually needed, makes it possible tofocus on the real risks. The worst that can happen to any organization is implementingsecurity for the benefit of security.

The problemFor Information Security Management, ISO 27001 describes the management system: theInformation Security Management System or ISMS. The first question organizations always

ask themselves is invariably: are we using ISO27001 and are we getting a certificate forthat? However, the first question should be: we are going to manage our efforts to maintainsecure information processing, but do we need an ISMS?

The management system as described in the international standard resembles themanagement systems that are defined for quality (in ISO 9000) and environmental control (inISO 14000). Evidently, with one of those management systems in place, it is easier toimplement the next.The use of those standards seems to be a goal in itself. It pushes organizations inimplementing a management system even when that is not needed.

The management systems tend to regard the organization as a whole. That is encouraged by

certification because certain management system functions are provided by parts of theorganization that are not subject of the certification. Those functions will have to be madepart of certification or their functions have to be duplicated.

Furthermore, new developments like outsourcing or services in the cloud, will have aprofound influence on information security management. When major parts of informationprocessing are outside the organization, it will become more difficult to close themanagement system.

The solutionThe importance of management of information security is in the maintenance of protection ofinformation and information processing while organizations, processes, technology and thepeople are changing.

7/27/2019 Information security management systems

2/2

In the ITIL book on Information Security (Version 2), security management is described as aseries of actions and activities in stead of a complete process. The reason for that was twofold: to make it as easy as possible (no organization likes to implement a new process ordedicate a part of the organization for this) and to prevent double bookkeeping.

In every ISMS there are three major parts visible: Evaluation, to determine whether information security is up to speed, Correction, improvements in both directions should be possible: make it heavier when

it looks like security is too light, and make it lighter when security limits processes, Registration, to have a history, to learn from the past and to perform trend analysis to

predict the future. Furthermore it shows management what the results of informationsecurity are.

These three activities form the most important parts of the Plan, Do, Check, Act cycle that isfavored in ISO management systems.When one of the parts is missing, management of information security is no longer possible.

In the standards and especially in the best practices, the management system is describedwith more steps than the three above. That is understandable because those documents areused in very different types of organizations. During the development of ISO, ITIL, COBITand even SABSA, theoretical completeness is achieved. In reality, the world is a bit different.Unfortunately, all those steps are often regarded as mandatory. That will lead to inflexiblesituations; ultimately preventing organizations to adapt to changing situations. While thatflexibility was what management of information security was all about.

By using existing processes there is no need for a separate information security organization.Every security incident can be reported through the Service Desk and be handled throughIncident Management. In the Code of Practice for Information Security (ISO27002) incidenthandling counts for a separate chapter for which the ITIL process can be used. If there is a

need for modification of security functionality, that can be managed through ChangeManagement and kept accounted for by Configuration Management.

The implementation of Continuous Service Improvement (ITIL CSI) requires evaluation,registration of defects and improvement of the processes. Therefore, the use of existing ITILpractices and processes for information security management is supported

It is often overlooked that Management has the power to decide what controls to implementand what management activities to employ. Even the ISO standard recognizes this; it isvisible in the Statement of Applicability of controls that has to be endorsed by Management.In spite of the details given in the ISO standards, it is the management decision onimplementation details of the information security management system that should be usedas reference.

By using existing processes and focusing on the three major activities, it is easier toimplement information security management than it seems from the ISO standard.

Jacques A. Cazemieris Principal Consultant on the subjects of Information SecurityManagement and Business Continuity Management at Verdonck, Klooster and AssociatesBV in The Netherlands. VKA is one of the leading consultancy firms on organization and IT inThe Netherlands.

Jacques is one of the authors of the ITIL Information Security Management book (V1 and V2)and the book on Information Security Management and ITIL V3.jacques.cazemier@vka.nl