Information Security Management (ISO/IEC 270xx)
Why the organisation needs to improve their information security management?
- Risk-based thinking, the information security is crucial for business operation and shall be protected
- Technical compliance with latest information technology, i.e. cryptography
- Legal compliance, i.e. PDPA(Personal Data Protection Act), IPR
- Government regulation for IT service provider, i.e. telecommunication, financial, healthcare...etc.
- Contractual requirements, i.e. supplier contract, service level agreement
- Social responsibilities, common practice for IT and service management
- Technically sounds and effective, i.e. vulnerability management, penetration testing (PT)
- Market competition, i.e. competitor
Critical success factors
- information security policy, objectives, and activities that reflect business objectives;
- an approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the organizational culture;
- visible support and commitment from all levels of management;
- a good understanding of the information security requirements, risk assessment, and risk management;
- effective marketing of information security to all managers, employees, and other parties to achieve awareness;
- distribution of guidance on information security policy and standards to all managers, employees and other parties;
- provision to fund information security management activities;
- providing appropriate awareness, training, and education;
- establishing an effective information security incident management process;
- implementation of a measurement system that is used to evaluate performance in information security management and feedback suggestions for improvement.
Starting Point of Information Security Management
Considered to be essential to an organization from a legal, legislative point of view include, depending on applicable legislation:
- business objectives
- data protection and privacy of personal information;
- protection of organizational records;
- intellectual property rights.
Considered to be common practice for information security managing include:
- Business/Organisational risk analysis according to risk management principal (ISO 31000)
- information security policy document;
- allocation of information security responsibilities;
- information security awareness, education, and training;
- correct processing in applications;
- technical vulnerability management;
- business continuity management;
- management of information security incidents and improvements.
Learn how to manage information security with our experts.
The international standard ISO/IEC 27001:2013 sets out the requirements to establish, implement and continually improve an information security management system (ISMS) for the organisation.
Base on ISMS (ISO/IEC 270xx) family of standards, we are offering a serious of training programmes to help you to understand WHAT are the requirements, know HOW TO how to plan and implement a ISMS, and capability of audit.