Information Security Management System: Facts To Note

An Information Security Management System (ISMS) consists of a management framework through which an organization identifies, analyzes, and addresses information security risks.
ISMSs are not based on servers or security devices. Instead, an ISMS consists of a set of practices that are systematically applied by an organization to ensure continuous improvement in information security. ISMSs provide conceptual models that guide organizations in planning, implementing, governing, and evaluating information security programs.


ISMSs are a natural extension of the use of popular business models, such as Total Quality Management (TQM) and Control Objectives for Information and Related Technologies (COBIT), into the realm of cybersecurity.
An ISMS is a systematic, multi-layered approach to cybersecurity. The approach includes people, processes, technologies, and the cultures in which they interact in a process of risk management.An ISMS often incorporates the “plan-do-check-act” framework, known as the Deming cycle, from TQM. It is seen as an elaboration on the process component of the People-Process-Technology-Culture model of organizational capability, as shown in the figure.
The image shows a general model for organizational capability. The diagram on the left side of the image depicts the People, Process, Technology, Culture model. The four components of the model are shown in a ring with Capability at the centre. There are arrows pointing both ways between all of the components.
The Process component is expanded out into another graphic on the right side of the image. In the expanded view, the four steps in the plan-do-check-act framework are shown in a clockwise circle surrounding the text: Develop, Improve, Maintain, ISMS.

A General Model for Organizational Capability


ISO is the International Organization for Standardization. ISO’s voluntary standards are internationally accepted and facilitate business conducted between nations.
ISO partnered with the International Electrotechnical Commission (IEC) to develop the ISO/IEC 27000 series of specifications for ISMSs, as shown in the table.
Standard Description
ISO/IEC 27000 Information security management systems – Overview and vocabulary – Introduction to the standards family, overview of ISMS, essential vocabulary.
ISO/IEC 27001 Information security management systems– Requirements – Provides an overview of ISMS and the essentials of ISMS processes and procedures.
ISO/IEC 27003 Information security management system implementation guidance – Critical factors necessary for successful design and implementation of ISMS.
ISO/IEC 27004 Information security management – Monitoring, measurement, analysis and evaluation – Discussion of metrics and measurement procedures to assess the effectiveness of ISMS implementation.
ISO/IEC 27005 Information security risk management – Supports the implementation of ISMS based on a risk-centred management approach.
The ISO 27001 certification is a global, industry-wide specification for an ISMS. The figure illustrates the relationship of actions stipulated by the standard with the plan-do-check-act cycle.
In the figure, the four steps in the plan-do-check-act framework are shown in a clockwise circle surrounding the text: Develop, Improve, Maintain, ISMS.

ISO 27001 ISMS Plan-Do-Check-Act Cycle

  • Understand relevant business objectives
  • Define scope of activities
  • Access and manage support
  • Assess and define risk
  • Perform asset management and vulnerability assessment
ISO-27001 certification means an organization’s security policies and procedures have been independently verified to provide a systematic and proactive approach for effectively managing security risks to confidential customer information.

NIST Cybersecurity Framework

NIST is very effective in the area of cybersecurity, as we have seen in this module. More NIST standards will be discussed later in the course.
NIST has also developed the Cybersecurity framework which is similar to the ISO/IEC 27000 standards.
The NIST framework is a set of standards designed to integrate existing standards, guidelines, and practices to help better manage and reduce cybersecurity risk. The framework was first issued in February 2014 and continues to undergo development.
The framework core consists of a set of activities suggested to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. The core functions, which are defined in the table, are split into major categories and subcategories.
Core Function Description
IDENTIFY Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
PROTECT Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
DETECT Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
RESPOND Develop and implement the appropriate activities to act on a detected cybersecurity event.
RECOVER Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
The major categories provide an understanding of the types of activities and outcomes related to each function, as shown in the next table.
Core Function Outcome Categories
  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy
  • Identity Management and Access Control
  • Information Protection Processes and Procedures
  • Maintenance
  • Protective Technology
  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes
  • Response Planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements
  • Recovery Planning
  • Improvements
  • Communications
Organizations of many types are using the Framework in a number of ways. Many have found it helpful in raising awareness and communicating with stakeholders within their organization, including executive leadership. The Framework is also improving communications across organizations, allowing cybersecurity expectations to be shared with business partners, suppliers, and among sectors. By mapping the Framework to current cybersecurity management approaches, organizations are learning and showing how they match up with the Framework’s standards, guidelines, and best practices. Some parties are using the Framework to reconcile internal policy with legislation, regulation, and industry best practice. The Framework also is being used as a strategic planning tool to assess risks and current practices.
Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training. 

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.


Fact Check Policy

CRMNUGGETS is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.


Fact Check Policy
CRMNuggets Whatsapp Channel

Leave a Reply

Your email address will not be published. Required fields are marked *