Expert Advice Community

Guest

ISMS vs ISMF

  Quote
Guest
Guest user Created:   Jul 16, 2019 Last commented:   Oct 05, 2020

ISMS vs ISMF

Can you tell me what is the difference between an information security management system and an information security management framework?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 16, 2019

Answer:

An information security management system (ISMS) is a set of policies and procedures for systematically protection of information.

An information security management framework (ISMF) consist of a set of standards upon which policies and procedures are built.

For example, ISO 27001 is an example of an ISMS. It requires polices and procedures to be defined according defined requirements and perceived risks, but does not enter in the details on how they have to look like.

On the other hand, NIST Cyber Security Framework is an example of ISMF, because it refers to other documents on NIST SP-800 series on how to implement it.

These articles will provide you further explanation about ISO 27001 and NIST documents:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/

Quote
0 2
Expert
Rhand Leal Aug 05, 2020

An information security management framework (ISMF) consist of a set of documents upon which policies and procedures are built, verified, and improved.

On the other hand, CIS controls are a set of guidelines covering 20 controls, lacking aspects of management, like risk management, management review and audit.

Considering that, we can say that CIS controls are not fully information security management framework, although Center for Internet Security already has released an information security risk assessment method to help implement CIS Controls, which makes it closer to an information security management framework. In short, CIS is a security framework, but not security management framework.

Quote
0 1
Hasan Sep 29, 2020

 @Rhand Leal Thank you for your response but can you elaborate bit more, with an example perhaps.

Quote
0 0
Expert
Rhand Leal Oct 02, 2020

While the ISMS is the set of documents, records and practices implemented to systematically protect information security, the ISMF comprehends documents that define requirements the ISMS documents, records, and practices must fulfill, or which provides guidance on how to develop them.
 
For example, the Information security policy, Password management policy, and BCP you mentioned can be considered an example of an ISMS.
 
 Now, ISO 27001, ISO 27002, and ISO 27005 are examples of elements of an ISMF (in this case the ISO 27001 series):

  • ISO 27001 defines requirements for planning, implementation, operation, control, and improvement of information security (e.g., it does not contain policies, procedures, records, or practices, only what they must include, or which objectives must be achieved)
  • ISO 27002 provides guidance on how to implement controls from Annex A (e.g., examples of what you should consider when developing a backup or password policy)
  • ISO 27005 provides guidance on how to implement information security risk assessment and risk treatment (steps and practices to be considered)

Please note that the main difference is that ISO documents cannot be directly used to protect information (they are elements of a framework). You have to use them to develop the policies, procedures, and records that your organization needs to protect information (the elements of a system).   

Quote
0 0
Expert
Rhand Leal Oct 05, 2020

Please note that businesses have different organizational structures, so your focus shouldn't be on departments, but on roles and responsibilities.

Considering that, for ISO 27032 (Guidelines for cybersecurity), the roles responsible for information security, network security, internet security, and critical infrastructure should be trained (normally these roles are in the department which handles Information and Communication Technologies).

About ISO 27035 (Information security incident management), the above-mentioned roles, now including roles responsible for legal compliance also should be included.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 16, 2019

Oct 05, 2020