Implementation of ISO27001: The information security management system (ISMS)
To achieve ISO27001 compliance, an ISMS is established - an Information Security Management System.
The term “system” in this context needs some explanation: (at least) German natives, especially in IT, associate a system with a more or less sophisticated piece of machinery – something that could sit on a shelf or reside in a 19” rack – producing ISO27001 compliance. One only feeding with electricity (and probably license tokens) is needed.
The Beatles had an answer already: “Can’t buy me love”.
Same is true for ISO27001: impossible to purchase
The ISO27001 security system is a process, a method, to recognize threads and improve security continuously. It is executed by humans, experts, stakeholders, and the CSO (Chief Security Officer) in charge.
Definition of ISMS by ISO.org “An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.”
For arguments sake: it would be possible to implement an ISO27001 compliant ISMS based on a team with pen and paper.
In other words: there is no point in purchasing expensive ISMS software products. The need (and cost) for a human based process will not go away.
In most implementations, a document management system (DMS) in the center of such ISMS acts as central document repository. (Note: this time, “system” refers to a server + SW)
For small or medium sized companies it might well be sufficient to use a Wiki, e.g. xWiki, open source, Linux and Windows), providing both documentation and communication between all stakeholders and relevant audience.
This central document repository may be found useful as integration point for shared usage with ISO9001 and ISO22000 management systems in the same company.
About the other steps to achieve ISO27001 compliance, more articles are in preparation.
Links
[1] German definition of an IT system
https://de.wikipedia.org/wiki/Informationstechnisches_System
[2] ISMS Definition of ISMS by ISO.org
https://www.iso.org/isoiec-27001-information-security.html
[3]: xWiki, The Advanced Open Source Enterprise Wiki
https://www.xwiki.org/xwiki/bin/view/Main/WebHome