Following on from our previous article on Simplifying Information Security Management, this month we will look at how to go about developing an ISMS.

Given the current spate of cyber security-related attacks and data breaches across Australia, having an effective Information Security Management System is becoming essential to protect your data, demonstrate good governance and instil customer confidence.

The most important concept to keep in mind is that an ISMS does not need to be overly complex.  A good starting point is to look at the requirements of the international standard AS/NZS ISO/IEC 27001:2023 Information security, cybersecurity and privacy protection – Information security management systems – Requirements, that provides the framework for developing and implementing an ISMS. The new standard was published in 2022 and in many respects, simplifies what is required of an ISMS.

Like all current management system standards, ISO 27001 applies the Annex SL that provides the overarching structure for the standard within the 10 regular headings:

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement

However, ISO27001 is more granular than most standards and goes on to specify an Annex A Information Security Controls. This includes 93 Controls that are grouped into 4 themes:

  • People (8 Controls)
  • Organisational (37 controls)
  • Technological (34 controls)
  • Physical (14 controls)

These controls are directly derived from and aligned with those listed in ISO/IEC 27002:2022 Information Security Controls that now allocates five ‘attributes’ to make them easier to categorise:

  1. Control type – when and how the control modifies the risk (preventive, detective, corrective)
  2. Information security properties – which characteristic of information the control is targeted at (confidentiality, integrity, availability)
  3. Cyber security concepts – the association of the controls to cybersecurity concepts within ISO/IEC TS 27110 (identify, protect, detect, respond, recover)
  4. Operational capabilities – from the practitioner’s perspective of information security capabilities (governance, asset management, information protection, Human Resource Security etc.)
  5. Security domains – one of four information security domains (governance and ecosystem, protection, defence, resilience)

In most cases not all 93 controls apply to all organisations: a business must formally consider and substantiate any exclusions in a Statement of Applicability.

The task of developing an Information Security Management System from scratch can appear overwhelming due to the detailed and extensive requirements of the standard. However, in practice, most businesses probably already have both formal and informal processes in place, which can serve as a strong foundation for establishing their Information Security Management System.

A starting point would be to acquire the AS ISO/IEC 27001:2022 Standard and then conduct a Gap Analysis, identifying what requirements are currently in place and where there are gaps.

Please contact QRMC for more information or assistance.