HOW TO IMPLEMENT A ROBUST INFORMATION SECURITY MANAGEMENT SYSTEM?

An Information Security Management System (ISMS) involves implementing and maintaining processes to e�ciently manage the protection of information and, in doing so, ensuring its integrity, confidentiality and availability. You may implement

guidelines set out in ISO 27001, COBIT, NIST or in any other similar framework or you may even create your own management system. What matters in order to make

ISMS e�cient is to consider all these factors of the cycle.

/company/eset/@ESET/ESET /eset

Define steps to follow and assets to be protected, and how and who will be in charge.

This stage requires that the following be established:

• Those responsible for security

• Critical processes to protect and their scope

• Information security policies

• Resources needed for operation, maintenan-ce and improvement

PLAN AND ESTABLISH

SGSI

4

IMPLEMENT AND MANAGEPut in place all controls establi-shed during planning and manage security as part of daily operations.

• Qualitative and quantitative evaluation of risks

•Risk treatment o Mitigate o Eliminate o Transfer o Accept

• Application of security controls o Technical o Physical o Administrative

•Security management plans o DRP o BCP o IRP • Awareness campaigns •Definition of control metrics

2

MONITOR AND MEASURE

Check the measures in place for correct functioning, in addition to measuring the success of manage ment against parameters set in advance.

• Security audits o Review of compliance with

standards o Assessment of vulnerabilities o Penetration tests o Gap analysis o Maturity levels • Review of ISMS against metrics

3

1

MAINTAIN AND IMPROVE

Once the obtained results are verified and measured, improvements – which are to be planned, set in motion, and reviewed – must be fed back into the process.

• Treatment of non-conformities: address non-compliance • Corrective actions for permanent improvement

www.eset.com | www.welivesecurity.com