by The Open University
Available in 39 free installments
Owner:
An ISMS is defined in Clause 3.4 of Part 2 of the Standard as a
management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security.
Some organisations will want to protect all of their information assets. Others, depending on the business risks and other hazards they face, may want to consider an ISMS that protects only some of them. Examples of organisational units that might need protecting include research and development, payroll, databases and ? given their increasing importance and vulnerability ? any online operations.
As you have seen, this decision on which areas to protect ? the question of context and scope ? launches the ISMS planning process. By defining the scope of the ISMS ? which parts of the organisation need its protection ? the information assets that need protecting begin to become visible. Defining the context of the ISMS ? the relationship (business, physical, legal, regulatory, etc.) the protected areas hold to the remainder of the organisation and to the rest of the world ? sheds light on the threats that they must be protected against.
The definitions of the scope and context of the ISMS are recorded in the information security policy.
Study Reading 4 (linked below), an extract from Clause 3.1 of Part 1 of the Standard, and the sections of Chapter 5 of IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 (the Set Book) entitled ‘Information security policy? and ‘A policy statement?.
Click below to open Reading 4 (0.05 MB).
View document(a) Describe the personnel who should be involved in the development of an information security policy. Whom should the policy cover?
(b) Describe the possible scopes of an ISMS, and relate these to your organisation.
(c) Consider the role of an ISMS in protecting a collection of information assets, and explain how the scope of the ISMS relates to the shareability regions of the assets in such a collection.
(d) Apply the initial policy statement given on pages 64?65 of the Set Book to your own organisation. What can you say at this stage about items (a) and (d)?(f) listed on page 65? (Item (b) is studied in the next section and (c) is outside of the scope of this unit.)
Chapter 5 of the Set Book describes Stages 1 and 2 of the ISMS planning process in detail, with references to clauses of the Standard. You are not expected to look up the references to these clauses, or to other chapters of the Set Book, as part of this activity.
The reference to ‘17799? on pages 62 and 65 of the Set Book should of course be to ‘ISO 17799?, while nearby on both pages ‘the standard? refers to Part 2 of the Standard. The unattributed definition of information at the foot of page 62 comes from the Introduction to Part 1 of the Standard.
(a) The Set Book identifies the following people as being involved in developing an information security policy: the manager charged with leading the ISMS implementation; the board and management of the organisation; the management information security forum.
The policy should cover all employees in the organisation, or relevant part of the organisation, and may also apply to ‘customers, suppliers, shareholders and other third parties? (Set Book, p. 61) ? in fact, all those identified in the context of the policy.
(b) The Set Book states that the scope of an ISMS could be determined ‘on the basis of corporate [organisational], divisional or management structure, or on the basis of geographic location? (p. 61). It also states (pp. 61?62) that a policy that encompasses all of the activities of a functional unit is easier to implement than one that applies only to a part.
Applying these ideas to the case of the Open University, we might consider a number of alternative scopes, determined:
by geographic location: the ISMS would apply, for example, to a single regional office, or to the central campus;
by management structure: the ISMS would apply, for example, to all academic units, or to all IT functions;
by organisational structure: the ISMS would apply, for example, to an individual faculty, to student services, to IT support, etc;
by organisation: the ISMS would apply to the whole of the OU.
(c) For a collection of information assets, each of which has its own shareability region, the scope of the ISMS should be larger than, or at least coincident with, the union of the shareability regions of the assets.
(d) For the Open University, the initial policy statement might read:
The Senate and management of the Open University are committed to preserving the confidentiality, integrity and availability of all the information assets of the organisation in order to maintain its competitive advantage, legal and contractual compliance, image, and reputation. All employees of the organisation are required to comply with this policy and with the ISMS that implements this policy. Certain third parties, defined in the ISMS, will also be required to comply with it. This policy will be reviewed when necessary, and at least annually.
Item (a) would require a statement on the structures and roles relating to the ISMS, as summarised in Subsection 5.3.
The following simple statement covers items (d), (e) and (f) in the case of the Open University:
The Senate and management of the Open University are committed to the inclusion of information security in the University's mission and business objectives, and to the continuous improvement of information security provisions as the business environment changes. All staff will receive security awareness training appropriate to their role. The University is committed to comply with, and achieve certification to, BS 7799.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
