Information Security Management in this digital age plays a key role in Service Management. It must align itself with IT Security and Business Security in order to ensure that Information Security across the organisation is controlled and managed.
The Information Security Management process includes:
- A policy
- An Information Security Management System (ISMS)
- Structure and controls
- Risk Management
- Communication strategy
There are industry standards that can be utilised in order to improve Information Security such as ISO 27001 which an international standard, made up of five elements:
There are various activities that Information Security Management should include:
- Operation, maintenance and distribution of the Information Security Management policy. This ensures that all staff (internal and external) are aware and adhere to the policy.
- Communication, implementation and enforcement of policies
- Assessment of Management Information
- Documenting and subsequent implementation of controls that support the process
- Monitoring and managing any breaches or incidents associated to Information Security Management
- Proactive improvement of the process
This process is an ongoing activity and the Information Security Manager must recognise that it is not just one part of the lifecycle and guaranteed by technology on its own.
There are four key elements which can assist:
Prevention and reduction by evaluating and reporting
Detection and repression by evaluating and reporting
Correction and recovery by evaluating and reporting
Bringing the situation under control and learning from experience