Initial approach and considerations for implementing an Information Security Management System (ISMS).

Implementing an information security management system based on ISO/IEC 27001 requires – firstly– a strong commitment of the company’s executives, as well as the support of the company’s main leaders, so that the initiative has a deeper sense according to the need and so that it is more simple to develop guidelines and policies to be applied at all levels of the company. To this end, communication is an important component and cannot be left aside; therefore, it will be necessary to develop a comprehensive strategy in this regard.

After defining the commitment, other implementation aspects may be addressed through the Deming Cycle Approach (PDCA), which is the basis on which most ISO standards focusing on management systems are developed. This approach involves logically organizing points such as the planning, execution, monitoring and control, and improvement of the information security management system, and at the same time making these points comply with the requirements of ISO/IEC 27001 if a certification process based on this standard is then to be accessed.

Accordingly, the aspects that may be addressed would be the analysis regarding the context of the organization and the stakeholders to know and document the current situation, the needs and main requirements, the scope definition, the strategy and planning, as well as to define the general framework and formalize the methodology for risk management to be used in the information security management. Next, other components such as formalizing the policy, defining information security objectives, defining roles, competencies and responsibilities, as well as establishing the management framework and document control for documents and records to be developed for the management system may also be addressed. These aspects would represent the initial basis for a comprehensive deployment of an information security management system.