Information security management (ISMS) subject is a new area which has been discussed in various companies and organizations and many large and small security companies also are thinking of investigating on this topic. However experience has shown that imitation of a scientific and technological issue and its implementation at the national level not only showed best real effect of that ever(but also) has caused a huge waste of resources.
In this paper, we have an idea for localization of ISMS which in regard to ISO standards and importance of this subject, prepares the facility and best area for research and work on ISMS. In this essay we introduce a new circle which cover a new level in ISMS subject.
1. The missing circle of ISMS
Masoud Hayeri Khyavi
Mina Rahimi
Research Institute for ICT (Iran Telecommunication Research Center)
1
ACM SIGMIS Computers and People Research 2015
2. Information Security Management System(ISMS)
• Information Security Management System (ISMS)
• Why?
• How?
Information
security
Certificate
ISO 27001
2
ACM SIGMIS Computers and People Research 2015
3. Information Security Management System(ISMS)
Why ISMS? (Management view)
• Security management and planning are the fundamental infrastructure for security layout in
organizations.
• In today modern life we are witnessing the transferring of huge amount of data and information
that can be very important or vice versa nonsense data.
• Information security management system or ISMS is a critical and management system which
prepare a secure layout for information transferring and exchange, saving data and processing.
• With a good ISMS , You can get ISO 27001 certificate for your organization.
3
ACM SIGMIS Computers and People Research 2015
4. Information Security Management System(ISMS)
Why ISMS? (Personnel view)
There is an important question that what is happening to personnel and people who are not in top
level but are working in the heart of company?
• Is information security management system complete without them?
• Implementing of information security management system in organization or just in small part of
organization will create constraints and limitations for colleagues and coworkers which almost
bring dissatisfaction and negative view for both personnel and customers who are dealing with
organization.
• From psychological point of view, unintentionally a resistant power would be appear against this
constraints and limitations.
4
ACM SIGMIS Computers and People Research 2015
5. Information Security Management System(ISMS)
How we can implement ISMS?
• PDCA is core of ISMS.
• PDCA is a model and framework which in fact covers the circle of planning,
executing, evaluating and running; this circle should be continuously done with
the protection and positive force from management side.
BUT WE DON’T WANT TALKING ABOUT “PDCA” CIRCLE, WE WANT FIND MISSING
CIRCLE, DO YOU KNOW WHERE IS IT?
5
ACM SIGMIS Computers and People Research 2015
6. Challenges against ISMS
Management Decide and order to begin ISMS process, but there are
challenges:
• Fear/Resistance to change,
• Increased cost,
• Inadequate knowledge as to approach,
• Seemingly huge task,
• Limit Knowledge.
6
ACM SIGMIS Computers and People Research 2015
7. ISMS Critical Success Factors
• Information security policy, objectives, and activities that reflect business
objectives
• Approach to information security consistent with the organizational culture
• Visible support and commitment from all levels of management
• A good understanding of the information security requirements, risk
assessment and risk management
• Effective of marketing of information security to all the staff and others
• Distribution of guidance on information security to all the staff and others
• Adequate financial support
• Appropriate awareness, training and education
• Effective information security incident management process
7
ACM SIGMIS Computers and People Research 2015
8. New Idea appears!
• We are trying to definite other circle beside PDCA circle which is called ISMS
"missing circle“.
• This circle is related to non-management layer and is the ISMS sub-level or low-
level- ISMS (LL-ISMS).
• LL-ISMS is the complement of main ISMS.
• In regards of organizational goal can be installed inner ISMS or beside that
which personnel and customers would be the main directors.
• With this new circle distinguishing risks and threats in organization would be
easier and faster, besides, control enforcement and reaction against threats
would be quicker, so in other hand, risk management would be improved.
• Each of the functions of LL-ISMS (internal or external) has interactional structure
with main ISMS. We defined four phase for LL-ISMS with the names of:
Feel
Do’ Think Help
8
ACM SIGMIS Computers and People Research 2015
9. The missing circle arises(New Phases appear)
9
ACM SIGMIS Computers and People Research 2015
10. How LL-ISMS helps ISMS?
Concerning a complete circle which connects management level with non-management
levels, will further consolidate the security system and will minimize the challenges
especially in ISMS implementation. LL-ISMS will brings benefits and advantages such as:
• Security standards have been prepared with thinking of their authors and supporters and
have been presented trough an "overall solution". ISMS scheme via standards, plays the
backbone and infrastructure for security body of an organization and following that in
wider area such as country, but all conditions and areas are not the same, so the
skeleton should be compatible in special manner which in any condition tolerates the
pressure and guaranties the highest reliability.
• With the suggestion idea from the authors of this essay, we are able to find a suitable
answer for each of security requirements, cause the personnel of the lower layer in
organization with the states of Feel and Think would recognize the reason of each of
them by themselves and perhaps in some cases with their suggestions and new ideas
increase the efficiency of security scheme and decreases the cost. With this idea we are
going to localize the ISMS. Furthermore this new circle will bring an invisible connection
between security management level and its subsets which advantages in trust and
confidence in the firm.
10
ACM SIGMIS Computers and People Research 2015
11. And at end
• Other merits of these two circles near each other are interconnection between different
management levels, flexibility, personnel's responsibilities and customers' commitments for
themselves and for their firms (they know themselves effective in their organization) and etc. the
most important gift which this circle brings as a new subject in security area is "security near each
other with mutual trust beside".
11
ACM SIGMIS Computers and People Research 2015
12. Thank you for your attention
&
Any question?
m.hayery@itrc.ac.ir rahimi7@itrc.ac.ir
12
ACM SIGMIS Computers and People Research 2015