Posts

How to implement an Information Security Management System (ISMS)

We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the 3rd  step in implementing the requirements of the directive is to establish a cybersecurity framework.

If you haven’t read what a cybersecurity framework means, then you should read article: https://www.sorinmustaca.com/demystifying-cybersecurity-terms-policy-standard-procedure-controls-framework/ .

An ISMS is typically based on the ISO 27001 standard, which provides a framework for establishing, implementing, maintaining, and continually improving information security within an organization.

Establishing a cybersecurity framework is usually achieved together with, or while implementing an Information Security Management System (ISMS) based on a standard like ISO 27001. So, before going to the NIS2 Step 3, I must explain why is it important to have a “good” ISMS.

This article will guide you through the steps to create a solid foundation for the ISMS which uses a cybersecurity framework.

 

Here are the steps you must follow to implement your ISMS:

  1. Get Top Management Support
    • Before you start, synchronize with the top management in order to define company’s goals in this regard. Usually it should be clear, since the company strives to receive a certification like ISO 27001, ISO 16949, TISAX, CSMS, etc..
    • Then secure the commitment and support of senior management by helping them understand the necessary resources and efforts.
    • In all standards that require an ISMS it is imperative to have the commitment of the management because their feedback and support are required in several places along the way.
  2. Scope Definition
    • Define the scope of your ISMS: determine which assets, processes, and locations will be covered by the ISMS.
    • This will help in setting boundaries for your security efforts. Some certifications require an assessment per location and scope, so this needs to be developed properly and in accordance with company’s goals.
  3. Risk Assessment
    • Create policies that help identify and assess information security risks.
    • This involves:
      • How to identifying assets: List all the information assets your organization handles, such as data, hardware, software, and personnel, intellectual property.
      • How to identify threats and vulnerabilities: Determine potential risks and vulnerabilities that could impact your assets.
      • How to assess risks: Analyze the likelihood and potential impact of these risks.
      • How to calculate risk levels: Prioritize risks based on their severity.
  4. Risk Treatment
    • Develop a policy for risk treatment plan:
      • How to implement controls: Select and implement security controls and measures to mitigate identified risks.
      • Document policies and procedures that enforce the creation of security controls.
      • Allocate responsibilities: Assign roles and responsibilities for managing and monitoring security measures.
      • Set risk acceptance criteria: Determine which risks can be accepted, mitigated, or transferred.
  5.  Establish the ISMS Framework
    • Establish the ISMS framework based on ISO 27001:
      • Define information security objectives.
      • Develop an information security policy.
      • Create a risk assessment methodology.
      • Define criteria for risk acceptance.
      • Develop and implement security controls.
  6. Implementation
    • Execute the ISMS based on the established framework:
      • Train employees: Provide information security training to all staff members.
      • Implement security controls: Put in place the technical, administrative, and physical controls identified in your risk treatment plan.
      • Monitor and review: Continuously monitor the effectiveness of your controls and review your risk assessment.
  7. Measurement and Evaluation
    • Regularly measure and evaluate the performance of your ISMS to ensure that it remains effective and aligned with your objectives.
      • Conduct internal audits.
      • Perform security testing (e.g., penetration testing, vulnerability scanning).
      • Analyze security incident data.
  8. Management Review
    • Conduct regular management reviews to assess the ISMS’s performance and effectiveness.
      • Ensure that the ISMS is aligned with the organization’s strategic goals.
      • Make improvements based on review findings.
  9. Continual Improvement
    • Use the results of audits, reviews, and incidents to continually improve the ISMS.
      • Update policies and procedures as needed.
      • Enhance security controls based on new threats and vulnerabilities.
      • Maintain employee awareness and training.
  10. Certification (Optional):
    • If your organization desires ISO 27001 or any other certification, engage an accredited certification body to perform an external audit and certification assessment.
    • Be careful because several certification require a pre-certification or pre-assessment performed either with in-house auditors (internal) or external auditors.
  11. Documentation
    • Maintain detailed documentation of all ISMS activities, including policies, procedures, risk assessments, and audit reports.
    • Maintain a log of all changes in time, because this demonstrates continual improvement and usage.
  12. Training and Awareness
    • Continuously educate and raise awareness among employees regarding information security policies and best practices.
  13. Incident Response and Recovery
    • Develop an incident response plan to address security incidents promptly and effectively.

 

Remember, and make sure that your management remembers as well, that implementing and maintaining an ISMS is an ongoing process. Even if certifications are renewed only after 3 years (usually) it is important that in these 3 years the ISMS is lived.

Regularly update your risk assessments and adapt your security controls to evolving threats and business needs. Continuous improvement is key to the success of your ISMS.

 

The post How to implement an Information Security Management System (ISMS) first appeared on Sorin Mustaca on Cybersecurity.

NIS2: 1. Perform a gap analysis

We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the first step in implementing NIS2 requirements is to perform a gap analysis.

 

The most critical part when performing a gap analysis is to define upfront against which standard or security framework are you comparing the existing situation.

It is usual when performing a gap analysis of security maturity to compare against ISO 27000 standard, the ISO 27001 in particular.

Performing a gap analysis on the security stance of a company following ISO 27001 involves comparing its current security measures and practices against the requirements specified in the ISO 27001 standard.

This analysis helps identify areas where the company’s security posture aligns with the standard (compliance) and areas where there are gaps or deficiencies (non-compliance). Here’s a technical breakdown of the process:

 

  1. Familiarize with ISO 27001
    Understand the ISO 27001 standard and its security requirements. This includes studying the Annex A controls, which represent a comprehensive set of security best practices.
  2. Define the Scope
    Determine the scope of the analysis, starting with which areas of the organization’s security management system (SMS) will be assessed, such as specific departments, processes, assets, or locations.
    Then focus on which parts of the company’s operations will be assessed. This could include networks, systems, applications, physical security, personnel, and other relevant components.
    Keep in mind that usually the goal of the company is not reaching ISO 27001 compliance but to see their maturity level and see how prepared they are cybersecurity events and incidents.
    This means that the parallel to ISO 27001 controls (see below) should not be extremely strict, unless the goal really is achieving the ISO 27001 certification.
  3. Conduct Interviews and Gather Information
    Collaborate with key stakeholders, security personnel, and IT staff to collect relevant documentation.
    Relevant documentation is anything related to the company’s security practices, policies, procedures, risk assessments, and controls.
    This includes also security manuals, configuration details, system logs, incident reports, risk assessments, and other related documents.
  4. Create a Gap Analysis Checklist
    Develop a detailed checklist that maps the ISO 27001 controls to the company’s existing security controls and practices. The checklist should include relevant information for each control, such as descriptions, implementation status, supporting evidence, and any gaps or deviations. Always keep in mind what was decided in “2. Define the scope”, because this will give you the depth of the analysis.
  5. Assess Current Security Controls for Non-Compliance
    For each control in the checklist, assess whether the company has implemented the control as specified by ISO 27001. Evaluate the effectiveness of the existing controls in meeting the standard’s requirements. Identify gaps and areas where the company’s security measures do not meet the standard’s expectations. These gaps may include missing controls, insufficient implementation, inadequate documentation, or deviations from best practices.
  6. Prioritize and Rate the Gaps
    Classify the identified gaps based on their severity and potential impact on security. Assign a risk rating to each gap to help prioritize remediation efforts.
  7. Propose Remediation Measures
    For each identified gap, suggest specific remediation measures to address the deficiencies. These measures should align with ISO 27001 requirements and aim to improve the company’s security posture.
  8. Create an Action Plan
    Create a detailed action plan that outlines the steps to be taken to address each identified gap. This plan should include timelines, responsibilities, and resources required for implementation.
  9. Reassess and Update
    Periodically repeat the gap analysis process to assess the company’s security stance and ensure continuous improvement. Regularly review and update the action plan based on new threats, changes in the organization’s structure, or updates to the ISO 27001 standard.
  10. Monitor and Review Progress
    Once the action plan is underway, monitor the progress of each remediation effort and periodically review the improvements made. Track the status of the gaps and ensure that the company is moving towards full compliance with ISO 27001.

 

 

References:

The post NIS2: 1. Perform a gap analysis first appeared on Sorin Mustaca on Cybersecurity.