ISMS stands for Information Security Management System. That means it is a structured approach for controlling your organisation’s data security to ensure:
- It does not get into the wrong peoples’ hands
- It is not corrupted
- It is used by the people that should have access and not by those that don’t
- Rules are set as to how the information is gathered, stored, released, updated & destroyed
This is achieved by ensuring that the dangers listed above do not happen – which in turn is achieved by assessing the possibility that they will happen for the controls in place, and then reacting to this to adapt and improve those controls until the chances of the wrong thing happening are slim enough for the organisation to live with (given the data types involved).
The 27k1 ISMS is a step by step process to identify the existing controls and consequently the existing risk for the data sets held by the organisation. And then to review these with a view to how the risks can be ameliorated or removed entirely.
To do this, the organisation has to choose whether the risks are Acceptable (ie nothing further need be done), Treatable (ie change things internally to make the situation less risky), Transferable (ie pass the risk to someone else to look after), or Avoidable (ie by removing the data concerned in the first place). The choice will depend on the data type, the security required and the scale in question in each case.
The 27k1 ISMS then runs through a range of controls to allow the user to choose how to address each data set. Thus the user has total flexibility on how they react.
Altogether the system results in:
- Faster processing of the data types and the risks related to them
- Clear records of the decisions made, by whom and the determined risk effect
- Removes the possibility of inadvertent corruption or removal of data without authority
- Incorporates appropriate training and awareness assessment requirements
- Provides clear summary of what data is held in what state, where and why
- Demonstrates solid oversight and consideration for all data types (useful as proof when challenged by ICO, insurer or courts)
- Allows total flexibility in how the data is handled
- Organisation chooses how far to take risk controls (thus determining costs)
- Internal audit tracking to demonstrate how improvements have been followed up
- Does not require in-depth knowledge of IT, or of ISO systems or of Risk Management
- Simple to use with everyday language and minimal jargon
- Recognised as a key step to attaining data security and towards GDPR compliance
- Far lower cost than consultant led systems generation