Information security management system (ISMS) is that part of the overall management system, based on a business risk approach, that it is developed in order to establish, implement, operate, monitor, review, maintain and improve information securitysecurity, information management system, audit

Cristian AMANCEI

Traian SURCEL

English

Research Papers in Economics

Revista Informatica Economică, nr. 4 (44)/2007  111
The Information Security Management System, Development and Audit 
 
Traian SURCEL, Bucharest, Romania, tsurcel@ase.ro  
Cristian AMANCEI, Bucharest, Romania, cristian.amancei@ie.ase.ro  
 
Information security management system (ISMS) is that part of the overall management system, 
based on a business risk approach, that it is developed in order to establish, implement, operate, 
monitor, review, maintain and improve information security. 
 
SMS component of information system 
Bu
ing p
sinesses have major goals (i.e. increas-
rofit, larger market share), none of these 
goals will be met by the business if they do 
not find out what users want, and also do not 
find ways of satisfying those users’ needs. 
Information security should be an integral 
part of the organization’s operating and busi-
ness culture. Let’s analyze the steps to be fol-
lowed in establishing the ISMS in the organi-
zation. 
The first step is to define the scope of the 
ISMS in terms of the characteristics of the 
business, the organization, its location, assets 
and technology. The scope needs to take ac-
count any interfaces with other systems, or-
ganizations, third party suppliers, and it also 
needs to take account any dependencies, e.g. 
security requirements that need to be satis-
fied by the ISMS. 
The second step is to define the ISMS policy 
in terms of the characteristics of the business, 
the organizations, its location, assets and 
technology that includes a framework for set-
ting its objectives and establishes an overall 
sense of the direction and principles for ac-
tion with regard to information security. Also 
we have to take into account business and le-
gal or regulatory requirements, and contrac-
tual security obligations in special with: third 
party suppliers, dial-up / internet access, 
shared processing with business partners. 
We have to establish criteria against which 
risk will be evaluated and the structure of the 
risk assessment will be defined. 
As the step three, at this moment, a system-
atic approach to risk assessment has to be de-
fined. We can do this by identifying a 
method of risk assessment that is suited to 
the ISMS, and the identified business infor-
mation security, legal and regulatory re-
quirements. We have to set policies and ob-
jectives for the ISMS to reduce risks to ac-
ceptable levels and to determine criteria for 
accepting the risks and identify the accept-
able levels of risk. 
Step four is to identify the risks by: identify 
the assets within scope of the ISMS and the 
owners of these assets, identify the threats to 
those assets, identify the vulnerabilities that 
might be exploited by the threats, identify the 
impacts that losses of confidentiality, integ-
rity and availability may have on the assets. 
Step five is to assess the risks, by assessing the 
business harm that might result from a security 
failure, taking into account the potential conse-
quences of a lose of confidentiality, integrity or 
availability of the assets, and by assessing the 
realistic likelihood of such a security failure oc-
curring in the light of prevailing threats and vul-
nerabilities and impacts associated with these 
assets, and the controls currently implemented. 
Step six is to identify and evaluate options for 
the treatment of risks. Actions the organiza-
tion could consider: applying appropriate 
controls, knowingly and objectively accept-
ing risks, providing they clearly satisfy the 
organization’s policy and the criteria for risk 
acceptance, avoiding risks, transferring the 
associated business risks to other parties (i.e. 
insurers, suppliers, third parties). 
Step seven, select control objectives and con-
trols for the treatment of risks. The selection 
of controls should be cost effective, i.e. the 
cost of their implementation should not ex-
ceed the financial impact of the risks they are 
intended to reduce. Some of the impacts will 
be non-financial, those impacts should be 
taken into account when they are related to 
safety, personal information, legal and regu-
latory obligations, image and reputation. 
Step eight is to prepare a statement of applicabil-
I Revista Informatica Economică, nr. 4 (44)/2007  112 
ity. The control objectives, controls selected and 
the reasons for their selection shall be docu-
mented in the Statement of Applicability. 
The last step is to obtain management ap-
proval of the proposed residual risks and au-
thorization to implement and operate the 
ISMS.  
At this moment the ISMS project can move 
to next stages, implementation and operation 
of the ISMS, monitor and review of the 
ISMS, maintenance and improvement of the 
ISMS.  
In order to be operable the ISMS documenta-
tion will include the following: documented 
statements of the security policy and control 
objectives; the scope of the ISMS, proce-
dures and controls in support of the ISMS; 
risk assessment report; risk treatment plan; 
documented procedures needed by the or-
ganization to ensure the effective planning, 
operation and control of its information secu-
rity processes; statement of applicability. 
It’s useful to take a look to some examples of 
control objective and controls for system de-
velopment and maintenance and business 
continuity management. 
a) System development and maintenance 
1. Security requirements for operating sys-
tems and application systems, the control ob-
jective,  is to ensure that security is built into 
information systems and can prevent loss, 
modification or misuse of user data. Controls 
that can be applied are: 
-  security requirements analysis and speci-
fication. Business requirements for new sys-
tems, or enhancements to existing system 
shall specify the requirements for controls; 
-  input data validation. Data input to appli-
cation system shall be validated to ensure 
that it is correct and appropriate; 
-  control of internal processing. Validation 
checks shall be incorporated into systems to 
detect any corruption of the data processed. 
Reports with errors must be defined into the 
system to return missed matches that are 
found during processing; 
-  output data validation. Data output from 
an application system shall be validated to 
ensure that the processing of stored informa-
tion is correct and appropriate to the circum-
stances;  
2. Ccryptographic controls, the control objec-
tive is to protect the confidentiality, authen-
ticity or integrity of information. Controls 
that can be applied are: 
-  policies and management. A management 
system should be developed, based on an 
agreed set of standards, procedures and 
methods that shall be used to support the use 
of cryptographic techniques; 
-  encryption. Encryption shall be applied to 
protect the confidentiality of sensitive or 
critical information; 
-  non-repudiation services. Non-
repudiation services shall be used to resolve 
disputes about occurrence or non-occurrence 
of an event or action; 
3. Security of system files, the control objec-
tive is to ensure that IT projects and support 
activities are conducted in a secure manner. 
Controls that can be applied are: 
-  control of operational software. Proce-
dures shall be in place to the implementation 
of software on production systems. 
-  access control to program source library 
and database. Strict control shall be maintained 
over access to program source libraries and da-
tabase or a third party provider can be used for 
development and maintenance of program 
source libraries. 
4. Security in development and support proc-
esses, the control objective is to maintain the 
security of application system software and 
information. Controls that can be applied are: 
-  change control procedures. The implementa-
tion of changes shall be strictly controlled by the 
use of formal change control procedures and un-
der strict observation. 
-  technical review of operating system 
changes. Application system shall be re-
viewed and tested when changes occur, be-
fore being applied on production servers. 
-  outsourced software development. Con-
trols shall be applied to secure outsourced 
software development. 
b) Business continuity management 
For Business continuity management the 
control objective is to counteract interrup-
tions to business activities and to protect 
critical business processes from the effects of Revista Informatica Economică, nr. 4 (44)/2007  113
major failures or disasters. In practice the 
tolerance of the business to a system failure 
gives the importance of the business continu-
ity management (for a business where system 
availability is very critical, tolerable disrup-
tion less than one day, the business continu-
ity management will become very impor-
tant). Controls that can be implemented are: 
First control is the business continuity man-
agement process. The business should have a 
managed process in place for developing and 
maintaining business continuity throughout 
the organization. 
Second control is the business continuity and 
impact analysis. In order to accomplish this, 
a strategy plan, based on appropriate risk as-
sessment, will be developed for the overall 
approach to business continuity.  
Third control is the business continuity plan-
ning framework. It has to be developed and 
maintained, a single framework of business 
continuity plans, in order to ensure that all 
plans are consistent, and to identify priorities 
for testing and maintenance. 
Fourth control is the testing, maintaining and 
re-assessing business continuity plans. Busi-
ness continuity plans will be tested regularly 
and maintained by regular reviews to ensure 
that they are up to date and effective.  
 
ISMS – PDCA Model  
The ISMS process requirements address how 
an organization should establish and maintain 
their ISMS, based on the Plan-Do-Check-Act 
(PDCA) model. 
Plan  - establish ISMS policy, objectives, 
processes and procedures relevant to manag-
ing risk and improving information security 
to deliver results in accordance with organi-
zation’s mission and objectives. 
Do - Implement and operate the ISMS pol-
icy, controls, processes and procedures, fol-
lowing the best practice approach. 
Check - Assess and measure process perform-
ance (if applicable) against ISMS policy, ob-
jectives and practical experience and report the 
results to management for review. 
Act - Take corrective and preventive actions, 
based on the results of the internal ISMS au-
dit and management review or other relevant 
information, to achieve continual improve-
ment of the ISMS. 
 
 
PDCA model for ISMS 
 
II.  ISMS Audit 
The ISMS audit can be analyzed also dis-
cussing shortly the stages necessary to ac-
complish this.  
Stage 1, gain an understanding of the ISMS 
in the context of the organization’s security 
policy and objectives, approach to risk man-
agement.  
Stage 2 is more complex. We must obtain the 
confirmation that the organization is acting in 
accordance with its own policies, objectives 
and procedures and the ISMS is conform to 
all standard requirements. Next, assessment 
of information security related risks and the 
resulting design of its ISMS. It follows are 
some checking sub stages: checking objec-
tives and targets derived from this process; 
checking performance monitoring, measur-
ing, reporting and reviewing against the ob-
jectives and targets; checking management 
responsibility for the information security 
policy; confirmation that monitoring of the 
informatics systems is reviewed and a follow 
up is made for unusual actions; checking that 
the organization is aware of the IT environ-
ment importance; and checking the following 
issues to see how is the organization pre-
pared:  
-  Does the organization ensure that the IT 
is part of the organization strategies? 
-  Is the IT department formally organized, 
and able to maintain the appropriate segrega-
tion of duties while also providing continuity 
of key IT functions? 
-  Is the organization able to keep their key 
employees? 
-  How is the organization able to continue 
their activity in the case of IT disruption or Revista Informatica Economică, nr. 4 (44)/2007  114 
lost of key employees? 
Stage 3, review of the network diagram to 
see how is the organization  prepared against 
external attacks (i.e. antivirus program, fire-
wall) and review the IT organizational struc-
ture to see if appropriate segregation of du-
ties is maintained. 
Stage  4, refers to application. Review the 
process of implementing changes on the ap-
plication. Review backups procedures, anti-
virus and other security systems used in the 
organization. Review the access on the net-
work and on the application to see if an ap-
propriate password policy is being imple-
mented. Review the user access rights, ac-
cording to their needs. 
Stage 5, test of controls for the controls iden-
tified as being automated/semi-automated / 
manual. 
 
III. Conclusion 
The importance of ISMS continues to grow 
as the tolerable disruption for the IT systems 
tends to become very critical, in this envi-
ronment the companies that are not conscious 
about the importance of the IT environment, 
that do not have an IT strategy developed and 
integrated with the company long term and 
short term strategy, can loose in the battle 
with the competition. 
 
References 
1. [GHS 04] Tim Grance, Joan Hash, Marc 
Stevens – Security Considerations in the In-
formation System Development Life Cycle, 
NIST Gaithensburg, MD 20899-8930, USA, 
2004; 
2. [TRS 06] Traian Surcel, Auditul şi man-
agementul sistemelor informatice, The Pre-
ceedings of The 2006 International Confer-
ence on Commerce, Bucureşti, 2006, ISBN  
10-73-594-785-4; 
3. [TSMS 05]  Tr. Surcel , M.Stoica - 
Reasearch Areas in Data Warehouse Systems 
Audit”,  în Revista  Economy Informatics vol 
V, nr. 1-4 / 2005, ISSN 1582-7941; 
4. SR ISO/CEI 17799 Tehnologia informaţiei 
Cod de practică pentru managementul secu-
rităţii informaţiei , ASRO  2004 Indice de 
clasificare X 22   
 

[TRS 06] Traian Surcel, Auditul şi managementul sistemelor informatice,

17799 Tehnologia informaţiei Cod de practică pentru managementul securităţii informaţiei , ASRO

Surcel , M.Stoica -Reasearch Areas in Data Warehouse Systems Audit”, în Revista Economy Informatics vol V,

The Information Security Management System, Development and Audit

http://www.revistaie.ase.ro/content/44/23%20surcel.pdf

The Information Security Management System, Development and Audit

Abstract

Similar works

Full text

Available Versions

Research Papers in Economics