Information Security Management System: Processes and Products

Abstract

The executive and operational management of organisations today realise that the successful protection of information assets depend on a holistic approach towards the implementation of safeguards. A holistic approach requires that the focus of management should rather be on minimising overall risk exposure as opposed to “tick-off” security safeguards on a checklist. The holistic management of information security requires a well-established Information Security Management System (ISMS). An ISMS addresses all aspects in an organisation that deals with creating and maintaining a secure information environment. Aspects such as policies, standards, guidelines, codes-ofpractice, technology, human, legal and ethics issues all from part of an ISMS. Organisations can opt for different approaches to establishing an ISMS. One way is to implement the controls as contained in a standard or code-of-practice, such as ISO17799. In this case information security is driven from a management process point of view and referred to as “process security”. Another approach that also complement or add to process security, is to use certified products in the IT infrastructure environment when possible. The approach here focuses on technical issues and is referred to as “product security”. The ‘process’ ISMS and the ‘product’ ISMS approaches are only two ways to address information security, each from a different perspective. The question that arises is whether the ‘process’ ISMS and the ‘product’ ISMS can be combined into a more holistic ISMS and what the impact of the one will be on the other. The aim of this paper is.to propose an ISMS that combines “process security” and “product security”.Key wordscertificationcertified productscode of practicecontrolsevaluation criteriaguidelineInformation Security Management Systemprocess evaluationproduct evaluationprotection classesself-assessmentstandards