Unit 25: Information Security Management
Organisations of all sizes need to protect their sensitive information from potential attackers, and simply having up-to-date firewalls, anti-virus, and other infrastructure components is not enough to prevent breaches. All physical security devices, the teams who manage them, and the processes surrounding their management need to be constantly monitored and evaluated to ensure the organisation as a whole is protected. This is the concept behind an Information Security Management System (ISMS). An ongoing process to continually assess what the organisation deems its biggest threats, and what its most important assets are.
This unit introduces students to the basic principles of an ISMS and how businesses use them to effectively manage the ongoing protection of sensitive information they hold. There are many reasons for establishing an ISMS for an organisation, but one of the main goals is to enable the organisation to manage information security as a single entity which can be monitored and continually improved upon.
This unit considers information security management in a business context and will allow students to understand how modern organisations manage the ongoing threats to their sensitive assets.
On successful completion of this unit students will be able to describe what an ISMS is, how one is established, maintained and improved, and describe the role international standards play in developing an ISMS. As a result students will develop skills such as communication literacy, critical thinking, analysis, reasoning and interpretation, which are crucial for gaining employment and developing academic competence.
LO1: Explore the basic principles of information security management
- What is an ISMS? Why is an ISMS important? Policies (privacy, acceptable use, information security, separation of duties, least privilege); risk (impact, likelihood, quantitative, qualitative, vulnerabilities, threats); risk treatment (avoid, transfer, accept, mitigate); compliance; stakeholders.
LO2: Critically assess how an organisation can implement and maintain an Information Security Management System (ISMS)
- Asset identification; stakeholder requirements; risk assessment; risk treatment planning; policy development; procedure development; senior management buyin; audit (internal, external); performance monitoring; continual improvement.
LO3: Appraise an ISMS and describe any weaknesses it may contain
- Review ISMS documentation for potential weaknesses; examine audit and performance monitoring output; suggest improvements to an ISMS.
LO4: Examine the strengths and weaknesses of implementing ISMS standards
- ISO 27001:2013; the organisation and its context; expectations of interested parties; determining ISMS scope; leadership commitment; policy; organisational roles and responsibilities; actions to address risks; information security objectives; resources; competence; awareness; communications; documented information; operational planning; risk assessment; risk treatment; monitoring, measuring, analysis and evaluation; management review; nonconformity and corrective action; continual improvement; external ISMS audit; advantages and disadvantages of ISO 27001:2013 certification; annex A (ISO 27002:2013) controls.