Information Security Management

System (ISMS).

ASSIGNMENT # 1
Submitted By: Furqan Ali.
Submitted To: Ch Waqas Ahmed.

Contents
LO1:.......................................................................................................................................................2
P1:.....................................................................................................................................................2
 ~1~

What is an Information Security Management System (ISMS)?......................................................2

Fundamental principles of ISMS........................................................................................................2
There are three critical principles of ISMS.........................................................................................2
Confidentiality:..............................................................................................................................2
Integrity:........................................................................................................................................3
Availability:....................................................................................................................................3
Fundamental principles of isms in relevance with ISO 27001:2013...................................................3
Relevance of ISMS Policy for an Organization?..................................................................................4
M1 Evaluating benefits of ISMS to sovereign technology....................................................................6
LO2........................................................................................................................................................7
P2: Processes & Procedures for Establishing and Maintaining An ISMS..............................................7
M2:........................................................................................................................................................8
D1: Critical Analysis of the Steps Required to Establish and Maintain an ISMS in the Context of an
example organization.s.......................................................................................................................11
Bibliography.........................................................................................................................................13

LO1:
 ~2~

P1:
What is an Information Security Management System (ISMS)?
An organization implements ISMS procedures, guidelines, and protocols to protect delicate
data and prevent uncertified access or destruction.
The collection of ISMS guidelines protects critical information assets and other delicate
resources that belong to an organization; when an organization implements an ISMS, it
exponentially decreases the risk of data breaches, restricts their liability in case of a breach,
and decreases the effect of any security incidents.

Fundamental principles of
ISMS.
 Every organization has its
own critical and essential
data related to its business
employees, which they want
to be secured from every
threat, hack, or bug.
 Therefore, every company
has installed the
Information Security
Management System, which includes a security policy is the best approach that can help
an organization manage its information security.

There are three critical principles of ISMS.

 Confidentiality.
 Integrity.
 Availability.

Confidentiality:
Confidentiality is the first critical principle of isms. Confidentiality is very delicate to ISMS
to block unauthorized access, use, disclosure, or destruction of delicate information. The
information category includes trade secrets, financial data, and personal information crucial
to a business’s operation and reputation. For example, an imaginary scenario, such as a big
firm that manages private client information, such as credit card numbers or medical
information, must be protected from prying eyes and accessible only to authorized
individuals. Several methods, like access limitations, data encryption, and training for staff
awareness, can be used to achieve this.

Integrity:
Integrity is a crucial feature of Information Security Management Systems (ISMS) that
ensures sensitive data is not modified or removed without authorization. Financial
transactions, client records, and other information necessary to a firm’s operation may be
included. To secure its data from unauthorized change or destruction, a small firm that
 ~3~

handles financial transactions must use access limits, backups, and security methods such as
digital signatures or checksums. These approaches must be validated and examined regularly
to ensure their effectiveness and identify weaknesses. Any firm dealing with sensitive data
must be protected to ensure its integrity and security.

Availability:
The availability of sensitive information in the context of ISMS refers to keeping it
unavailable or inaccessible to authorized users. It is critical for organizations that rely on IT
systems to function because it guarantees that systems and data are constantly accessible to
authorized employees. Redundancy, backups, disaster recovery plans, access restrictions,
firewalls, and intrusion detection systems can help businesses achieve this. These procedures
must also be tested and monitored regularly to uncover any weaknesses. It is vital to
safeguard availability to guarantee business continuity and avoid disruptions to critical
activities.

Fundamental principles of isms in relevance with ISO 27001:2013.

 Risk assessment:
Assessment of Information Risk. This section mandates that an organization establish and
maintain information security risk assessment systems that include risk acceptance and
assessment criteria. The criteria further state that the evaluations must be consistent, valid,
and generate 'similar resources' (clearly identifying the approach used).
Organizations must then use these assessment methods to identify risks related to the
confidentiality, integrity, and availability (CIA) of information assets within the established
scope of the ISMS.

 Management commitment:
This clause identifies specific aspects of the management system where top management is
expected to demonstrate leadership and commitment. These include but are not limited to:

 Accountability for the effectiveness of the management system;

 Ensuring the policy and objectives are established and are compatible with the context
and strategic direction of the organization;
 Ensuring the integration of the management system is embedded into business
processes;
 Promoting the use of the process approach and risk-based thinking
 Ensuring adequate resources are in place;
 Ensuring the management system achieves its intended results;
 Engaging, directing, and supporting persons to contribute to the management system’s
effectiveness.

 Continuous improvement:
A large part of running an information security management system is to see it as a living and
breathing system.  Organizations that take improvement seriously will be assessing, testing,
 ~4~

reviewing, and measuring the performance of the ISMS as part of the broader business-led
strategy, going beyond a ‘tick box’ regime.
There are several mechanisms already covered within ISO 27001 for the continual evaluation
and improvement of the ISMS including:
 Risk assessment and treatment – ongoing
 Objectives monitoring, measurement, and evaluation – ongoing
  Internal audits – ongoing
  Management reviews – ongoing
  Nonconformities and corrective actions – ongoing
 Internal controls:
Businesses must develop and maintain proper internal controls to keep track of and
respond correctly to the multiplicity of information security hazards their
organizations face.
 Compliance:
The objective is to avoid breaches of legal, statutory, regulatory or contractual
obligations related to information security and any security requirements. It’s an
essential part of the information security management system (ISMS)
 Documentation:
The ISMS should include essential documentation in the form of policies, processes,
and records to back it up.
 Communication:
Organizations must create effective communication channels to ensure all essential
stakeholders understand their roles in deploying and maintaining the information
security management system (ISMS).
 Asset management:
An effective information management system is necessary for systematically
cataloging, categorizing, and managing an organization's information assets and
assuring those assets' security.

Relevance of ISMS Policy for an Organization?

ISMS (Information Security Management System) Policy is highly relevant for any
organization in today's digital age. Here are some of the reasons why:
Risk Management:
An ISMS policy provides a risk management framework that helps the organization to
identify and assess risks to its information assets and implement measures to reduce those
risks.

Compliance:
An ISMS policy helps the organization to comply with legal and regulatory requirements
related to information security, such as the General Data Protection Regulation (GDPR) or
the Health Insurance Portability and Accountability Act (HIPAA).

Increased Security:
 ~5~

An ISMS policy establishes a set of security controls that can help to reduce the likelihood
and impact of security incidents, such as data breaches.

Improved Business Continuity:

An ISMS policy helps to ensure that critical business processes can continue in the event of
a security incident or other disruption.

Improved Reputation:
An ISMS policy helps to demonstrate to customers, partners, and other stakeholders that the
organization takes information security seriously.

Increased Efficiency:
An ISMS policy provides a framework for the efficient management of information security,
reducing duplication of effort and ensuring that resources are allocated effectively.

Cost Savings:
An ISMS policy can help to reduce the costs associated with security incidents, such as data
breaches, by identifying and addressing risks before they materialize.

Continuous Improvement:
An ISMS policy provides a mechanism for ongoing review and improvement of the
organization's information security practices.

Improved Communication:
An ISMS policy helps to facilitate communication about information security issues and
practices across the organization, increasing awareness and understanding of security risks
and controls.

Competitive Advantage:
An ISMS policy can provide a competitive advantage by demonstrating to customers and
partners that the organization takes information security seriously and has a robust approach
to managing it.

Implementing an ISMS will help Sovereign Technologies identify and manage information
security risks and build appropriate controls to protect sensitive data and satisfy ISO 27001
certification standards. A staff awareness and training session would also help them
understand the importance of information security and their role in protecting sensitive
information. This ensures that all employees know the potential hazards and dangers
associated with their jobs and are prepared to respond appropriately in emergencies.
 ~6~

M1 Evaluating benefits of ISMS to sovereign technology

The following section discusses some of the advantages an ISMS system may provide an
organization, such as sovereign technologies.

1. Protection of Sensitive Information:

ISMS helps in securing confidential data related to a sovereign technology system from
unauthorized access or modifications.
Enhanced Risk Management:
By implementing an ISMS, sovereign technology systems can effectively identify and
manage security risks, which can help in reducing the possibility of data breaches and
minimize their impact.
Regulatory Compliance:
ISMS provides guidelines and standards for maintaining compliance with industry
regulations, thereby ensuring that sovereign technology systems meet legal and regulatory
requirements.
Improved Incident Response:
With a well-defined incident response plan, an ISMS can help sovereign technology systems
respond quickly and effectively to any security incidents.

Continuous Monitoring:
ISMS allows sovereign technology systems to conduct regular vulnerability assessments and
continuous monitoring to identify and mitigate potential security threats.

Increased Resilience:
By implementing ISMS, sovereign technology systems can improve their resilience to cyber-
attacks and ensure that they can continue to operate in the face of disruptions.

Cost-Effective Security:
ISMS helps in optimizing the use of resources for securing sovereign technology systems,
making it a cost-effective approach.

Increased Trust: ISMS provides a framework for implementing effective security measures,
which can help build trust with stakeholders and partners who rely on sovereign technology
systems.

Improved Performance:
By reducing security risks and vulnerabilities, ISMS can improve the performance of
sovereign technology systems, making them more efficient and effective.
 ~7~

Better Decision Making:

By providing relevant data and insights on security risks, ISMS can help in making better-
informed decisions related to security and risk management.

Competitive Advantage:
By implementing ISMS, sovereign technology systems can differentiate themselves from
competitors by demonstrating their commitment to security and compliance.

Continuous Improvement:
ISMS emphasizes continuous improvement in security practices, which ensures that
sovereign technology systems can adapt to evolving security threats and maintain a high level
of protection over time.

LO2
P2: Processes & Procedures for Establishing and Maintaining An
ISMS
An Information Security Management System (ISMS) is a framework that helps
organizations protect their confidential data and information systems from cyber threats.
Implementing and maintaining an ISMS is crucial to any organization's security strategy.
Here is a critical assessment of how an organization can implement and maintain an ISMS:

 Define the Scope:

At this level, the scope of the ISMS is decided based on the business objectives, risk
tolerance, and criticality of information assets. The scope is then specified, which includes
the ISMS borders, organizational units, and covered assets.

 Perform a Risk Assessment:

A risk assessment is carried out to detect possible threats and vulnerabilities to the
organization's information assets. The evaluation is the basis for developing security controls
and risk management methods.

 Develop Security Controls:

Security measures are aimed at mitigating recognized hazards based on risk assessment.
Controls can be technological or administrative to lower the likelihood or severity of a
security breach.

 Implement Security Controls:

Security safeguards are built into the organization's systems and operations. This might
include setting up systems, installing software, and training employees on how to utilize the
controls.

 Monitor and Measure Effectiveness:

 ~8~

Regular evaluations and audits are used to monitor and assess security measures. This ensures
that the controls continue to function properly and that any defects are identified and rectified
as soon as possible.

 Implement Training and Awareness:

Employees are trained and informed on ISMS principles and processes and how to deploy
security controls. This ensures that staff understand their roles and how to protect the
organization's information assets.

 Establish Incident Response Plan:

To address possible security incidents, an incident response strategy is designed. The strategy
includes methods for quickly recognizing, reporting and responding to difficulties.

 Conduct Regular Testing:

The ISMS is regularly tested to verify that it is functioning effectively, and that staff are
aware of their responsibilities. Testing includes security incident simulations and frequent
security audits.

 Maintain and Update:

The ISMS is regularly updated to reflect changes in the organization's business goals, risk
profile, and technological environment. This assures the ISMS's relevance and effectiveness
throughout time.

 Seek Certification:
The firm may pursue ISO 27001:2013 accreditation for its ISMS. An external audit is
necessary to determine whether the ISMS fits the standards. Certification assures
stakeholders that the organization has a strong and successful ISMS in place.

M2:
To secure the organization's information assets from potential risks and threats, an
Information Security Management System (ISMS) must be built in a methodical and
complete manner. Cryptech was contracted by Sovereign Technologies to build and deploy
 ~9~

an ISMS to get ISO 27001 certification. Follow these steps to put an ISMS into action in the
real world:

1. Establish Business need:

• CrypTech must fully understand Sovereign Technologies' operational procedures, risks,
and key resources before developing an ISMS.

• Thanks to CrypTech, Sovereign Technologies can better identify the ISMS

requirements that go along with its overarching business goals.

2. Define the Scope and Objectives:

The first stage in creating an ISMS is determining the scope and objectives of the project. In
this case, Cryptech must work with Sovereign Technologies to understand current
information security practices and identify areas for improvement. The project scope should
be expressly stated to guarantee that the ISMS deployment encompasses all important sectors
of the enterprise. The project's objectives should be congruent with the business goals of
Sovereign Technologies and ISO 27001.
3. Conduct a Gap Analysis:
The next stage is conducting a gap analysis to identify discrepancies between existing
information security practices and ISO 27001 requirements. This comprises evaluating
current policies, processes, and controls and comparing them to the criteria of the ISO 27001
standard. The gap analysis will help Cryptech identify areas for improvement and design an
ISMS framework that meets the specific needs of Sovereign Technologies.
4. Develop an ISMS Framework:
Based on the gap analysis results, Cryptech may create an ISMS framework to fix the
identified gaps and achieve ISO 27001 compliance. The framework should incorporate rules,
processes, and controls that are suited to the unique needs of Sovereign Technologies. The
framework should be developed to safeguard information assets from potential risks and
threats while ensuring that the firm complies with ISO 27001 regulations.
5. Raise Awareness and Provide Training:
Before implementing the ISMS framework, educating and training employees is vital. This
involves educating employees on the significance of information security and their role in
safeguarding sensitive data. Cryptech must provide training sessions tailored to each
department’s needs and incorporate real-world examples and exercises. Raising awareness
and giving training may assist in ensuring that staff understand their responsibilities and are
wholly committed to putting the ISMS into action.
6. Implement the ISMS Framework:
The following level is for personnel to comprehend and apply the ISMS framework. This
involves changing rules and processes, implementing controls, and distributing
responsibilities to ensure the ISMS is fully operational. Cryptech must ensure that the
 ~ 10 ~

implementation is done gradually to avoid disrupting day-to-day activities and that the
organization can respond to the changes.
7. Monitor and Review:
Finally, it must be monitored and revised to ensure that the ISMS remains suitable and
relevant. This includes conducting regular audits, reviewing policies and procedures, and
updating the ISMS architecture to deal with emerging threats and hazards. Cryptech must
work with Sovereign Technologies to continually improve the ISMS and adapt to the
organization's changing needs.
8. Internal Audits:
 CrypTech will carry out internal audits at Sovereign Technologies to evaluate the
success of the Information Security Management System (ISMS) installation and
adherence to all corporate policies and procedures.
 CrypTech will have advice on how to improve the ISMS and fix any issues that arise.

9. Achieving ISO 27001:2013 Certification:

 The business is attempting to obtain ISO 27001 certification. CrypTech will assist
Sovereign Technologies in preparing for ISO 27001 certification when the ISMS has
been put into place and all necessary adjustments have been made.

Working with a certification authority to conduct an external audit and verify that the
business' information security management system conforms with the ISO 27001
standard as a crucial stage in the procedure.

10. Technical Documentation:

Paperwork that Cryptech will do in process include:
• Sovereign Technologies’ assets, threats, vulnerabilities, and potential consequences of
information security incidents are all thoroughly examined in the risk assessment
report.

• An organization's information security policy is a written description of the steps to

take to protect sensitive data as well as the responsibilities of staff.

• Sovereign Technologies' information security management plan lays out the steps it
will take to safeguard its data.

• Details on the books needed for employee training are wanted. CrypTech will
provide educational materials to help staff members understand the information
security policy and management approach.

• "Internal Audit Reports" are documentation of the internal assessments Cryptech

made on implementing and observing the ISMS's policies and procedures.
 ~ 11 ~

• The ISO 27001 Certification Report thoroughly summarizes the third-party

certification organization's audit of Sovereign Technologies' information security
management system.

D1: Critical Analysis of the Steps Required to Establish and

Maintain an ISMS in the Context of an example organization.s
Step 1: Define the scope of the ISMS

1. Sovereign Technology's first business item is to assess its existing Information Security
Management System (ISMS) capabilities.
2. A list of the assets that must be protected, the business operations that rely on them, and
the stakeholders involved in those activities is created.
3. The ISMS would have to be altered to satisfy the requirements of the sovereign
technology.

Step 2: Conduct a risk assessment

1. The analyst must conduct a risk assessment to determine the severity of potential threats
to the information security of Sovereign Technology.
2. To achieve the goal, it is necessary to study the potential risks the organization may face,
determine the severity of these risks, and estimate the possibility that these risks will
become a reality.
3. Sovereign Technology should develop a risk management plan to decrease risks.

Step 3: Develop an information security policy

1. Sovereign Technology is responsible for developing the information security policy's

aims, scope, and structure.
2. The policy should include objectives for information security, designated roles, and
standard operating procedures for data administration and protection.
3. Employees, independent contractors, and outside vendors should all be able to
comprehend the policy quickly.

Step 4: Implement controls to manage risks

1. Sovereign Technology must build effective control methods after recognizing and
analyzing potential dangers.
2. As part of the rollout, controls for both internal operations and external service
providers would be required.
 ~ 12 ~

3. Frequent assessments and upgrades in compliance with Sovereign Technology

requirements are necessary to ensure the efficacy of the controls.

Step 5: Monitor and review the ISMS

1. Routine performance reviews on the ISMS are required for Sovereign Technology to
guarantee that it performs as planned.
2. Any necessary changes must be made to ensure it continues performing properly. The
category includes duties such as.
a. conducting internal audits
b. Management reviews.
c. Control testing and assessment regularly.
3. Metrics may be used to assess the effectiveness of Sovereign Technology's ISMS.

Step 6: Regulatory compliance

1. To ensure that Sovereign Technology remains a reliable provider of information

security, the company must abide by all applicable laws, rules, and agreements.
2. Municipal and national legislation and regulations protecting data privacy, intellectual
property, and computer security, for example,
i. Pakistan Electronic Crimes Act,2016.
ii. Data Protection Act,2021.
iii. Payment Systems and Electronic Fund Transfers Act,2007.
iv. Federal Trade Commission Act, (USA) (Impreva, n.d.)
v. Health Insurance Portability and Accounting Act (HIPPA)(USA). (Impreva,
n.d.)
3. To remain compliant with the ever-changing legal and regulatory landscape, Sovereign
Technology's information security management system (ISMS) must be regularly
updated.

Step 7: Providing Employee Awareness

1. Sovereign Technology must provide awareness and training to ensure that all workers,
particularly those with information security responsibilities, know their responsibilities.
i. Employees
ii. contractors, and
iii. third-party service providers
2. An essential part of this would be education on proper security measures and methods
for storing personal information.
1. Frequent training sessions are required to ensure that all staff understand the importance
of information security and their roles in securing the firm.
 ~ 13 ~

Bibliography
https://www.isms.online/?s=management+commitment+in+isms
https://preteshbiswas.com/2019/08/01/iso-270012013-clause-5-leadership/