Overview
Français
ABSTRACT
At the end of the 1990s the British Standards Institution published a document specifying the requirements for the implementation of the Information System Management of Security (ISMS). This document has now become the series of ISO 27000 standards. It is based on a set of definitions, recommendations, and safety requirements. These standards can be applied to the security information system as well as to specific areas. The ISMS provides guarantees on the company's ability to control costs and priorities in terms of investment and budget policies concerning business challenges and security risks.
Read this article from a comprehensive knowledge base, updated and supplemented with articles reviewed by scientific committees.
Read the articleAUTHOR
-
Gilles TENEAU: Doctorate in management science, associate researcher at LEMNA (University of Nantes), professor at CNAM IDF and ESC Amiens, President of the research center for organizational resilience, ITIL Accredited Trainer.
INTRODUCTION
Since the early 2000s, the ISO 27000 family of standards (information systems security) has been growing steadily. It seeks to answer the questions that CISOs (information systems security managers) may ask themselves:
how to audit IS security : ISO 27001 ;
how to build an ISMS (Information Security Management System) : ISO 27003 ;
how to manage risk : ISO 27005 ;
how to manage business continuity following a disaster : ISO 27031 ;
how to manage security incidents : ISO 27035 .
From the point of view of Sylvain Laborde, ISO 27001 auditor, a project to implement security management is a cross-functional project; while the IT department is, in fact, involved, several other departments may also be impacted. The project concerns the entire hierarchy of the organization. The success of the project depends essentially on the involvement of all the people concerned in the company, from top management downwards.
A project to implement information systems security follows the logic of the Deming wheel. The PLAN phase, which involves setting objectives, is made up of four main stages: definition of scope and policy, risk assessment, risk treatment, selection of security measures. A DO phase, comprising the following steps: planning risk treatment, generating meaningful indicators, training and raising staff awareness, day-to-day management of the ISMS, incident detection and response. The ISO 2700x suite of standards calls for the implementation of control measures: this is the CHECK phase (based on audits, controls and reviews). If deviations from objectives are detected, the ACT phase will enable corrective, preventive and improvement actions to be taken.
The implementation of a safety management system guarantees the adoption of best practices and increased reliability, while certification by an independent body ensures the confidence of the company's stakeholders (customers, suppliers, shareholders, banks, authorities, etc.). The ISO 27000 series is currently being finalized, and enjoys unanimous international support. This standard is beginning to interest more and more French entrepreneurs, not only because of its normative nature, but also because it is complementary to another standard...
The Ultimate Scientific and Technical Reference
KEYWORDS
security of informations systems | industry | ISMS | bank | public services | quality | risk
CAN BE ALSO FOUND IN:
Home IT Security of information systems Standards ISO 2700x - Towards the governance of the security of information systems
Home Environment - Safety Environment Standards ISO 2700x - Towards the governance of the security of information systems
Home Industrial engineering Industry of the future Standards ISO 2700x - Towards the governance of the security of information systems
Home IT Software technologies and System architectures Standards ISO 2700x - Towards the governance of the security of information systems
This article is included in
Safety and risk management
This offer includes:
Knowledge Base
Updated and enriched with articles validated by our scientific committees
Services
A set of exclusive tools to complement the resources
Practical Path
Operational and didactic, to guarantee the acquisition of transversal skills
Doc & Quiz
Interactive articles with quizzes, for constructive reading
ISO 2700x standards: towards information systems security governance
Information and information security management systems
Bibliography
Websites
...Standards and norms
- Lignes directrices pour l'audit des systèmes de management de la qualité et/ou de management environnemental. - NF EN ISO 19011 - 2011
- Information Technology – Safety technology – Information security management systems – Overview and vocabulary. - ISO/IEC 27000 - 2018
- Information Technology – Safety technology – Information security management systems – Requirements - ISO/IEC 27001 - 2013
- Information...
The Ultimate Scientific and Technical Reference
