Practical Guidelines and Major Issues in Information Security Management Systems Implementations

Abstract

Information is a major asset for any organization, to public or private. Threatsto information and information handling resources are getting more sophisticatedcontinuously. Also, regulatory requirements for data and system protection areincreasing in number as well as complexity. There are number of frameworks todeal with these issues systematically and effectively. One of such framework is theISO 27001 Information Security Management System (ISMS), which provides aframework for organizations to protect themselves against internal and externalthreats as well as natural disasters. The ISMS provides guidelines on how tomanage information processing, storage and transmission with appropriate controlsin order to avoid any security breaches. ISMS considers people, policies and ITtechnology as major categories of a security system. An organizations personal hasto be trained for establishing, implementing, operating, monitoring, reviewing,maintaining and continuous improving ISMS. Implementation of ISMS requiresrole-model attitude from the top management. Without a visionary and supportiveleadership, the ISMS cannot be used to properly identify and address the risks for anorganization. The practices show that an effective ISMS operation may requiremajor changes to some routine work practices. Clear direction from seniormanagers as well as coordination/support among team members is crucial for asuccessful ISMS project execution. In this work, some practical guidelines forsuccessful, cost effective and functional ISMS implementation will be provided.Also, observations gathered from years of auditing trails and lessons obtainedthrough practical applications will be presented. Major considerations for thesuccess/failure of security systems shall be discussed. It is concluded that security ispreparation of adequate policies/procedures/instructions and the support of wellinformed/diligent people, rather than utilization of sophisticated high-technologies.The importance of human factor for the success such management systems will beexemplified with real-life cases.