This document discusses Information Security Management Systems (ISMS). It begins by defining an ISMS as a set of practices and policies for managing security risks to information systems in a systematic way. It then describes the purposes and benefits of implementing an ISMS, which include providing governance, optimizing security, providing transparency, and reducing organizational and personal liability. The document outlines the risk-based methodology for implementing an ISMS, which involves identifying assets, vulnerabilities, risks, and applying security controls. It also discusses some common ISMS standards and frameworks.

1. Παπαδάκης Κωνσταντίνος
Αναλυτής Επιχειρήσεων Κυβερνοχώρου και Σύμβουλος
Κυβεροάμυνας/Κυβερνοασφάλειας
Papadakis Konstantinos
Cyber-Information Warfare Analyst & Cyber Defense/Security Consultant
ISMS
Information Security
Management System
“… If cybercrime was a country, it would have the 13th
highest GDP in the world…

2. Description
☺ The purposes and benefits of
the implementation of an ISMS
Temet Nosce
☺ Methodologies of the evaluation
of risks and the selection of
security controls in a ISMS
☺ Some well-known ISMS
standards and frameworks
☺ Circular process of
implementation of an ISMS

3. Definition
Temet Nosce
An Information Management Security System (ISMS) is a set of
practices and policies followed to manage security risks to
information systems in a systematic way

4. Definition Analysis
Temet Nosce
It is an organizational approach to
information security
Information assets are described &
secured
Information security risks are managed
and mitigated
Security policies together with their
ownerships and guarantees are in place
Adherence to security measures is
inspected periodically

5. ISMS & Information Security
Temet Nosce
Confidentiality
Information
Security
C.I.A.
Information is accessible to
authorized users when
required
Information is accessible to
those authorized to access
it only
Information is accurate and
complete, and is not
modified without
authorization

6. Purposes and Benefits
Temet Nosce
Providing Governance
Optimizing Security
Providing Transparency
Reducing Organizational & Personal Liability

7. Purposes and Benefits-Providing Governance
Temet Nosce
➢ Let Tech Pros take care of Info Sec
✓ Technical aspects only.
➢ Not proper staff training
➢ Physical Disasters

8. Purposes and Benefits-Optimizing Security
Temet Nosce
➢ Risks
✓ NO Uncovered areas.
✓ NO Overprotected areas.
➢ Security Controls
✓ Don’t disturb main business processes.
➢ Limited Resources

9. Purposes and Benefits-Providing Transparency
Temet Nosce

10. Purposes and Benefits-Reducing Organizational & Personal Liability
Temet Nosce
➢ Bad Thing can happen.
➢ Never fully protected.
➢ Organizational & Personal liability
➢ Leakage of sensitive customer data
➢ Big penalties if:
✓ NO ISMS in place
✓ NO Safeguards
✓ NO Infosec Officer
➢ If proper ISMS in place= Force Majeure

11. Methodology
Temet Nosce
Risks Evaluation Security Controls
Risk Based Approach

12. Risk Based Approach-Step 1
Temet Nosce
Identification of
Assets
STEP 1

13. Risk Based Approach-Step 2
Temet Nosce
Identification of
Assets
STEP 1 STEP 2
Identification of
Vulnerabilities
Vulnerability is a weakness in an information
system, system security procedures, internal
controls or implementation that could be exploited
or triggered by a threat source

14. Risk Based Approach-Step 3
Temet Nosce
Identification of
Assets
STEP 1 STEP 2
Identification of
Vulnerabilities
STEP 3
Identification of
Risks
Risk is an uncertain event or condition that, if
occurs, may have an impact on information
assurance, business objectives or activities

15. Risk Based Approach-Step 3
Temet Nosce
Identification of
Assets
STEP 1 STEP 2
Identification of
Vulnerabilities
STEP 3
Identification of
Risks
Threat is a potential circumstance or event that
could result in harm to a target (a potential attack,
accident or error)

16. Risk Based Approach-Step 4
Temet Nosce
Identification of
Assets
STEP 1 STEP 2
Identification of
Vulnerabilities
STEP 3
Identification of
Risks
STEP 4
Applying Security
Controls to address the
highest risks
Security Controls are safeguards or
countermeasures to avoid, detect, counteract or
minimize security risks to physical property,
information, computer systems or other assets

17. Risk Based Approach-Step 4
Temet Nosce
Identification of
Assets
STEP 1 STEP 2
Identification of
Vulnerabilities
STEP 3
Identification of
Risks
STEP 4
Applying Security
Controls to address the
highest risks

18. Risk Based Approach-Pros & Cons
Temet Nosce
When using the Risk Based approach, the result is
very precise.
• It is quite a big effort, especially for smaller
organizations, to use this approach.
• The methodology is quite complex, it may be
difficult to find good information about risks and
vulnerabilities, and it is costly to keep it updated
on a regular basis.

19. Baseline Approach
Temet Nosce
The Baseline Approach means the implementation of
security controls without performing detailed risk
calculations
➢ In an organization with a typical risk profile and a
typical information system, risks can be calculated
just once.
➢ Based on that, technical controls for information
systems are derived.
➢ This is a fast process and it means less effort for the
system

20. Combining Approaches
Temet Nosce
➢ The Baseline Approach, because it is a quick solution,
implemented first.
➢ Detailed Risk Assessments are carried out either only for
the information systems that need high security or for the
systems of the whole organization.

21. Standards & Frameworks
Temet Nosce

22. International Standards: ISO/IEC 27000 series
Temet Nosce
➢ These standards cover well the organizational
aspects of information security management.
➢ Provide good guidance for transparent auditing
➢ Several national standards refer to them,
especially in case of risk management.
➢ Not very detailed.
➢ Not technical enough to guide system
administrators in defining security controls

23. International Standards: ISO/IEC 27001 Compulsory National Standard
Temet Nosce
➢ Internationally recognized ISMS standard with
a formal certification scheme. It can help
provide a competitive advantage.
➢ Resource consuming

24. National Standards
Temet Nosce
➢ US NIST Standards are well known as they separate the federal and national systems
➢ US NIST Standards provide better level of granularity than that of ISO/IEC standards
but not as good as BSI Grundschutz
➢ BSI Grundschutz defines more than 3.000 controls and thus it is a very good handbook
for more technically oriented people.

25. Organizational Frameworks
Temet Nosce
➢ Organizations can develop their own frameworks tailored to their needs.
➢ Military organizations often have their own classified cyber security frameworks as the
risk profile is different from that of civilian organizations

26. Implementation of ISMS
Temet Nosce
PLAN DO
CORRECT (ACT) CHECK
Establish the
ISMS Policy
Implement the
ISMS Policy
Assess and
measure the
effectiveness of
the plan and its
implementation
Take corrective
measures and
change the
system or the
controls

27. Implementation of ISMS-NIST SP 800-37
Temet Nosce

28. Summary
Temet Nosce
ISMS is a formal system that helps to manage security risks to information systems.
It includes Risk Management, selection and implementation of Security Controls and,
after, assessment of Residual Risks.
ISMS is NOT an IT discipline.
It IS a discipline of management, because it deals with organizational risks.
Most of ISMS implementations that have no management support are unsuccessful.
Since a lot of controls are IT-related it is often the IT personnel that are driving the
process.
IT people usually have a good feeling of the best-practise security controls for different
technologies.
However, organizations and risks are different.
The implementation of those best practices without the use of ISMS does not usually
help provide optimal information security
Security breaches can happen even if an organization has implemented an effective
ISMS at an optimal security level.
However, if the organization is able to demonstrate that the ISMS was properly
implemented, the liabilities can be limited.

29. Questions
Temet Nosce

30. Questions
Temet Nosce

31. Questions
Temet Nosce

32. Questions
Temet Nosce

33. Questions
Temet Nosce

34. Questions
Temet Nosce

35. Questions
Temet Nosce

36. Questions
Temet Nosce

37. Temet Nosce
If information is the key asset that is needed in your
business, then ISMS helps to protect your business case
ISMS delivered via ISO standards, is compatible with
others in the market
Company management is always involved in the security
and always has access to information

38. Temet Nosce
Your partners view you as more reliable, credible, and
trustworthy
ISMS certification opens doors to new business (for
example better competitive position in the EU market)
Information and data sources are utilized more efficiently

39. Temet Nosce
ISMS makes your investments into information security
more efficient
ISMS brings the importance of information security to your
employees and makes them more involved in your
business
ISMS changes the culture in your company (brings
responsibility and accountability)

40. Temet Nosce
This presentation is based on NATOs Course:
JADL ADL 343 “Information Security Management System”

41. Know Thyself