Concluding with a glimpse of the Supportive clauses, informative clauses and the documentation requirements in the Standard ISO/IEC 27001:2005 for ISMS
On the premise that a secure information system may be a facilitative factor for adoption of BPM, it was suggested that of the various models available for ISMS, the ISO/IEC Standard 27001:2005 may be considered for implementation by organizations as it promotes systems approach and process approach.
In the earlier two blogs on this topic, an overview of the core operative clauses and the control objectives were covered. In this blog the Supportive clauses, informative clauses and the documentation requirements are being briefly described to complete the glimpse on the Standard.
Reference to earlier blogs:
The Supportive Clauses – they would promote the culture of security
The Information Security Policy of an organization is said to be the driver. The commitment of management is the fuel for continuation and improvement.
The promoting and supportive clauses are:
- – Management responsibility,
- – Internal ISMS audits,
- – Management review of ISMS, and
- – ISMS improvement.
Management responsibility includes Management commitment evidenced by documented ISMS Policy; provision of resources; creating awareness, providing training and maintaining competence.
(An important point that may be mentioned here about policy is that it would serve as the basis for developing business rules with respect to information security. This is in other words known as Policy Deployment. I remembered to include this point as I was reading ‘Defining Business Rules ~What Are They Really?’ by the Business Rules Group. This observation may be true for any other policy also such as Quality Policy, Environmental Policy, Sustainable Development Policy, and Occupational Health & Safety Policy and so on of an organization. That is, when a policy driven response is implemented to the subject situation in lieu of reactive responses. And that is what the Standard based Management Systems attempt to promote and hence rightly calling the policy as the driver.)
Internal ISMS audit for verification of the implementation as to whether it conforms to this Standard and performance is as expected.
Management review indicates what must be the inputs and what must be the review outputs.
ISMS improvement includes preventive action and a clause on corrective action.
An organization would be familiar with these clauses if they have a Quality Management System as per ISO 9001 Standard and hence implementation of ISMS may become that much easier and compatible with QMS.
The Informative clauses – they are educative
They are, to mention again:
Introduction, Scope, Normative references, Terms and definitions, OECD principles and this International Standard (Annex B), Correspondence between ISO 9001:2000, ISO 14001:2004 Standards and this International Standard (Annexe C), and Bibliography.
A good point to note under the scope is:
“The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.”
In the Note to this clause it is also mentioned:
“References to ‘business’ in this International Standard should be interpreted broadly to mean those activities that are core to the purposes for the organization’s existence.”
The significance of these two statements would easily be recognized, I assume.
Normative reference is the Standard, ISO/IEC 17799:2005, ‘Information technology – security techniques – Code of practice for information security management”. It is from this Standard the Control Objectives and Controls are derived. Hence it is mentioned as an indispensable reference for establishing the ISMS.
Clarity in understanding various terms used, is an important requirement to be fulfilled. The terms and definitions are from the Standards ISO/IEC 13335-1:2004, ISO/IEC 17799:2005, ISO/IEC TR 18044:2004, and ISO/IEC Guide 73: 2002. (TR stands for Technical Report).
Documentation requirements – For making intentions materialize
The first evidence of fulfillment of the requirements is through documentation.
The need for documentation helps to begin articulation on the clauses, know and start from whatever level one is at, make it material, revise them as one improves and retain revisability in order to move forward and higher.
The documentation requirements include the following:
- – documented statements of the ISMS policy
- – the scope of the ISMS
- – procedures and controls in support of the ISMS
- – a description of the risk assessment methodology
- – the risk assessment report
- – the risk treatment plan.
It may be noted here that documents and records may be in any form or type of medium.
It is good to be guarded against thinking of the Standard as one that burdens an organization with documentation. It is all up to an organization to decide the extent of documentation.
The ISMS is meant to serve and recognizably benefit the organization. Making a beginning with this realization would be found very fruitful.
Eventually the security would provide confidence to people, leading to increase in the usage of information system assets by persons at all the levels in the organization, for many purposes and in many ways; this also may be expected to improve the maturity of usage which in turn might make adoption of BPM a natural outcome.
A related blog posted earlier is:
Further related readings, just a selected few, for those interested:
ISMS in an educational institute:
A Fact sheet by KPMG, service provider in this area
An acknowledgement: The usage namely ‘IT enabled Management’ in the Part 1 of this blog is from the presentation (BPMX) made by Ann Rosenberg in the SAP TechEd 2008 Community Day.
It had been a long session! I thank all the readers for having been with me all along!