Security – ISMS – Building an ISMS

Building an ISMS

The previous post in this series suggested an Information Security Management System is needed to manage your security effort. So, where to from here?

Building an ISMS from scratch can be a monumental challenge, but it doesn’t have to be. It is common for organisations to base their security framework on established standards, to avoid having to “reinvent the wheel”.

Typically, organisations looking to construct an ISMS will seek guidance from several different security standards. These should be valid for their area of operation, their industry sector and relevant country legislation.

A review of the commonly used standards will provide insights into the type of measures that should be considered. Review different frameworks that focus on security, privacy and risk management when evaluating what is to be included.

Common Security Standards

There are many different security standards and frameworks used globally. These have been developed to suit a wide variety of organisations. Most of these have a core set of principles that are roughly consistent in their approach to dealing with security. All use policies, processes and controls that can be applied across most organisations.

The security standards and organisations most commonly used to influence the shape of security frameworks within New Zealand are:

• NZ Information Security Manual (ISM)
• Control Objectives for Information and Related
• Technology (COBIT)
• Payment Card Industry Data Security Standard (PCI DSS)
• HIPAA, HISO, etc
• NZ Privacy Act, European GDPR
• ISO/IEC 2700x

All of the standards and bodies listed here include similar measures for managing security, each with their own specific focus. Their content valid for you will vary depending on your organisation’s operating environment.

The NZ ISM (Information Security Manual) is intended primarily for the use of government departments, agencies and their service providers. However, this framework is equally useful for Crown Entities, Local Government bodies and private sector organisations.

COBIT is a U.S. framework applied in the best practices of IT governance and management. It is commonly used to aid compliance with Sarbanes-Oxley. Many organisations across the world, especially those that deal with U.S. based partners, use COBIT in the development and implementation of their IT structures.

PCI DSS (the Payment Card Industry Data Security Standard) is an established information security standard which applies to any organisation involved in the processing, transmission, and storage of credit card information. It is designed to improve the security of payment card transactions and to reduce credit card fraud.

The U.S. Health Insurance Portability and Accountability Act (HIPAA) requires that healthcare facilities – hospitals, clinics, and private practices – who have access to Protected Health Information take actions to safeguard patient data. In NZ, the Health Information Standards Organisation (HISO) works with health providers and shared services organisations to support and promote the development and adoption of fit-for-purpose health information standards.

The NZ Privacy Act controls how organisations can collect, use, share, store and give access to personal information. It is designed to ensure that individuals know what is happening with their personal information, know who has that information, make sure that information is accurate and that it is kept safe and secure.

The General Data Protection Regulation is an EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR is an important component of privacy law and of human rights law and addresses the transfer of personal data outside the EU. It’s primary aim is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business.

ISO 27001 is a leading international security standard adopted by many organisations. It’s aim is to build a comprehensive framework that helps companies of any size or industry to protect their information in a systematic way.

Gulp!

Time to catch your breath!

This is quite an overwhelming list of standards and regulations that may seem horribly daunting at first glance. The good news is you don’t have to achieve compliance or certification with any of these unless there is an industry or client obligation to do so.

However, the key message here is you need to be doing something to protect your information and technology assets. These standards all provide excellent suggestions on what measures you can implement to build your ISMS.