Information Security Management System (ISMS)

Ensuring information security protects business assets and should not be left to chance. Targeted efforts enable, maintain and improve information protection. An Information Security Management System (ISMS) is used to control all information protection activities. Based on established standards, in particular ISO/IEC 27001, our experienced consultants help organisations of all sizes and in a wide range of industries to establish, assess and improve their ISMS.

The idea and benefits of an ISMS

At the heart of ensuring information security are the protection objectives of availability, integrity and confidentiality of information. Derived protection objectives, such as ensuring the authenticity of information, should also be considered. Information security means that information is protected at all times from being compromised. To achieve this, information security measures must be operated, monitored and controlled on an ongoing basis.

The protection of information shall be effectively controlled. An information security management system verifiably ensures that an organisation’s information security objectives can be achieved with reasonable effort. It enables the effectiveness and cost-effectiveness of information security measures to be assessed at any time. It also enables the clear assignment of responsibilities in this area and ensures that these responsibilities are actually fulfilled.

An ISMS helps those responsible to make risk-based and targeted decisions and to take appropriate measures to protect information. Last but not least, it also offers advantages when dealing with regulatory and supervisory bodies.

Components

Projects to establish or enhance an ISMS typically include the following key components

• Establishment of accepted and enforceable Basics (regulations such as policies, etc.) for the establishment of the ISMS.
• Determining the scope of the ISMS (does it cover only certain areas of the organisation or the whole organisation?); this is the purpose of the normative definition of the ISMS.
• Creation of an effective organisation to assign the necessary responsibilities (AKV of those responsible)
• Alignment of the operational processes with the conditions in the company and the existing processes and organisations (e.g. risk management or IT security organisation).
• Ensure the effectiveness, acceptance and adequacy of the ISMS with support and improvement processes (CIP using the PDCA cycle) and internal ISMS audits.
• Definition of interfaces to related areas such as data protection, risk management, etc.

If required, the following components can be added

• Development of further industry specific delivery objects (e.g. in the healthcare sector)
• Assistance with the implementation of the ISMS.
• Development of the necessary basis for a desired **certification

Several recognised standards support the design, implementation and improvement of an ISMS. The most widely used are the ISO/IEC 27000 series and the standards of the German BSI. In recent years, the US NIST Cybersecurity Framework has also been increasingly used to design ISMSs. Each standard offers specific advantages and disadvantages, so that the implementation of an ISMS is usually a hybrid of several standards.

Our approach

Temet has many years of cross-industry experience in developing, implementing, evaluating and improving ISMSs. Our experts are also familiar with the organisational structures and processes involved. With our expertise, we can support the business, risk and security managers and, if required, guide them through to the successful certification of their ISMS against the chosen standard.

Temet can use the client’s tools if desired. In addition, we have our own tools (frameworks, catalogues, methodologies, etc.) that can be used to validate or improve the ISMS in your organisation. Typically, different standards and tools are used in combination to best achieve the customer’s objectives.

Customer benefits

With our help, many clients have successfully implemented new ISMSs, improved existing systems and achieved ISO/IEC 27001 certification. As a result of our work, they gain Transparency about their risk exposure, increase the Efficiency of their information security measures and ensure Compliance where regulatory requirements need to be met.