ISMS

Information Security Management System according to ISO/IEC 27001

Most of the organisations consider the information security as one of the priorities in their system of organisation management. The best way how to reach this is to build and operate information security management system in organisation which is in accordance with an international security standard. An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems.

The best way how to reach „good practice“ in security management is to establish and implement Information Security Management System which is in compliance with ISO/IEC 27001 Standard.

• The ISO/IEC 27001 is internationally recognized standard according to which the information security management system is compared and certified..
• The ISO/IEC 27001 is a framework for effective management of all organization information and data.

The Information Security Standard is published in two parts:

ISO/IEC 27001 SPECIFICATION FOR INFORMATION

ISO/IEC 27002 CODE OF PRACTISE FOR INFORMATION SECURITY MANAGEMENT

Information is the lifeblood of all organizations and can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by mail or by electronic means, shown in videotapes, or spoken in conversation. In todays competitive business environment, such information is constantly under threat from many sources. These can be internal, external, accidental, or malicious. There is a need to establish a comprehensive Information Security Policy within whole organization. You need to ensure the confidentiality, integrity, and availability of both vital corporate information and customer information.

HOW DO WE START?

1. Develop an information security policy and identify your organizations key information assets. Choose an consultant company to help you do this.
2. Carry out a risk assessment
3. Implement countermeasures, controls and control objectives of ISMS.
4. Train your responsible employee to ensure successful implementation of ISMS.
5. Once your ISMS is fully implemented and adopted you can register to ISO/IEC 27001 with an internally recognized certification body.

11 AREAS FOR COUNTERMEASURES REQUIRED BY ISO/IEC 27001

ISO/IEC 27001 is a standard setting out the requirements for an ISMS. It helps identify, manage and minimize the range of threats to which information is regularly subjected.

Number	Topic	Description
1	Information security policy	This provides management direction and support for information security
2	Organizational security	Managing of the information security within the organization
3	Asset management	Identification of the assets and appropriately protect them
4	Human resources security	Reduction of the risks of human error, theft, fraud or misuse of
5	Physical and environmental security	Prevention of unauthorized access, damage and interference to business premises and information
6	Communications and operations management	To ensure the correct and secure operation of information processing facilities
7	Access control	To control access to information
8	Information systems aquisition, development and maintenance	Ensuring that security is built into information systems
9	Information security incident management	To ensure insormation security events and weaknesses are managed in proper manner allowing proper corrective action to be taken.
10	Business continuity management	To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
11	Compliance	To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement

An organization using ISO/IEC 27001 as the basis for its ISMS, can become registered by a certification body, thus demonstrating to customers that the ISMS meets the requirements of the standard.

IMPLEMENTING AN INFORMATION SECURITY MANAGEMENT SYSTEM - ISMS PAKET

• ISMS system is supplied to your company as the ISMS Package, it means that we will help you to analyse the existing system, optimize company processes concerning information security and we will suggest, work out and agree with you the overall security system documentation (Security policy, Security instructions, Risk treatment plans, etc.).
• Documentation will be prepared professionally to fulfil ISO/IEC 27001 standard requirements and will be prepared in the written or digital form on CD or another suitable media
• We will train employees in ISMS topics
• We will carry out internal security and system assessments
• We will recommend you a internationaly recognized certificate body
• Preparation time to gain certificate range from 6 to 12 months thanks to proven methods

There are key steps that every company implementing an Information Security Management System will need to consider:

DECISION FOR IMPLEMENTATION OF THE ISMS

To gather a team and agree your strategy. You should begin the entire implementation process by preparing your organizational strategy with top management - whether the system will be adopted by the whole company or by one or more departments.

CHOICE OF AN INDEPENDENT CONSULTANT COMPANY

You should choose the right consultant company with appropriate experience.

UNDERTAKE A RISK ASSESSMENT

During this phase you should undertake a review of all potential security breaches. This should not relate solely to IT systems, but should encompass all sensitive information within your organization.

DEVELOP A POLICY DOCUMENT

This will demonstrate management support and commitment to the Information Security Management System process.

DEVELOP SUPPORTING DOCUMENTS AND

Put together a Statement of Applicability and Procedures to support your security policy. This will cover a range of areas including asset clarification and control, personal security, physical and environmental security and business continuity management.

IMPLEMENT YOUR INFORMATION SECURITY MANAGEMENT SYSTEM

The key to implementation is communication and training. During the implementation phase everyone begins operating to the procedures of the ISMS.

CHOOSE CERTIFICATION BODY

The certification body is the 3rd party, who come and assess the effectiveness of your ISMS, and issue a certificate if it meets the requirements of the standard. Choosing a certification body can be a complex issue as there are so many operating in the market. Factors to consider include industry experience, geographic coverage, price and service level offered.

UNDERTAKE A SYSTEM ASSESSMENT

During this phase the consultant company undertake evaluation of all aspects of ISMS. They should issue the report with the conformity/non-conformities to the standard.

OBTAIN REGISTRATION

You should arrange your initial assessment with your registrar. At this point the registrar will review your Information Security Management System and determine whether you should be recommended for registration.

THE REGISTRATION PROCESS

Once you have chosen a registrar that fits your needs, the certification process will generally involve the following steps:

• a voluntary pre-assessment
• documentation assessment/ certification audit stage 1
• certification audit stage 2
• the certification decision
• continuing assessments

CONTINUAL ASSESSMENT

Once you have received registration and been awarded your certificate, you can begin to advertise your success and promote your business. Your ISMS will be periodically checked by your registrar to ensure that it continues to meet the requirements of the standard.

VERSA SYSTEMS FOLLOWS THE RULES:

Easy for you Versa Systems consultants are able to analyse, evaluate and in collaboration with you to create methods and regulations for ISMS to fulfil the valid standards. We will evaluate the security of your information system, we will compare it with known weak spots of the single platforms and we will work out the overall evaluation of ISMS and add SWOT analysis and the list of recommendation leading you to improve security of your system. We are ready to help you in these areas:

• security and privacy consulting services
• security audit ( external, internal)
• penetrating testing
• risk analysis
• data protection analysis
• personal data protection

Versa Systems has long lasting experience with the information security consulting services. The company management and employees will gain habits which will enable them to keep and develop much more effectively and with less effort company’s ISMS. Principles

• implemented system cannot be an obstacle in the main business activity of a company
• minimum of bureaucracy and maximum of benefits for the company, management and employees
• by means of clearly defined system to fulfill ISO/IEC 27001 standard requirements in the shortest period
• certification is usually reached within 6 – 12 months

Fixed price – no hidden costs

Price is guaranteed by the contract, it means that you will know the price form the first day of the start of the project. The price of preparation for certification and the price of the certification itself.

Guaranteed registration

We guarantee not only compliance of the given date of the certificate audit but also gaining of certificate.

PROMOTE AND MAINTAIN YOUR MANAGEMENT SYSTEMS – ISMS+PAKET

After all the hard work of getting the management system implemented and registered, the benefits are not just internal. Promoting the fact that you have a registered management system to customers and other parties can have significant benefits. The maintenance and continual improvement of the management system come next. Like a business, the management system is a living thing and needs to be continually changed and updated in order to operate effectively. Maintenance and continual improvement throughout the continual assessment process are required in order to maintain registration. Versa Systems offer you maintenance package ISMS+ Paket that will ensure your ISMS will continue to meet the requirements of the standard.

---

ASSETS FROM ISMS IN YOUR COMPANY...

...from the law

• fulfilment of the law requirements, standards (personal data protection law, secret facts law)
• documentation to the customers that your security system of information is reliable and controlled according to documented procedures

...competitiveness

• rise of the competitiveness of the company in the market
• easy recruit of new customers in international markets
• strengthen of the position in the market

... your satisfaction

• improvement of information organization and administration in the company
• more effective methods of data protection and security
• clear responsibility of people for handling with information
• higher reliability of customers and employees