Assign topic to the user
Answer:
An information security management system (ISMS) is a set of policies and procedures for systematically protection of information.
An information security management framework (ISMF) consist of a set of standards upon which policies and procedures are built.
For example, ISO 27001 is an example of an ISMS. It requires polices and procedures to be defined according defined requirements and perceived risks, but does not enter in the details on how they have to look like.
On the other hand, NIST Cyber Security Framework is an example of ISMF, because it refers to other documents on NIST SP-800 series on how to implement it.
These articles will provide you further explanation about ISO 27001 and NIST documents:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
An information security management framework (ISMF) consist of a set of documents upon which policies and procedures are built, verified, and improved.
On the other hand, CIS controls are a set of guidelines covering 20 controls, lacking aspects of management, like risk management, management review and audit.
Considering that, we can say that CIS controls are not fully information security management framework, although Center for Internet Security already has released an information security risk assessment method to help implement CIS Controls, which makes it closer to an information security management framework. In short, CIS is a security framework, but not security management framework.
@Rhand Leal Thank you for your response but can you elaborate bit more, with an example perhaps.
While the ISMS is the set of documents, records and practices implemented to systematically protect information security, the ISMF comprehends documents that define requirements the ISMS documents, records, and practices must fulfill, or which provides guidance on how to develop them.
For example, the Information security policy, Password management policy, and BCP you mentioned can be considered an example of an ISMS.
Now, ISO 27001, ISO 27002, and ISO 27005 are examples of elements of an ISMF (in this case the ISO 27001 series):
- ISO 27001 defines requirements for planning, implementation, operation, control, and improvement of information security (e.g., it does not contain policies, procedures, records, or practices, only what they must include, or which objectives must be achieved)
- ISO 27002 provides guidance on how to implement controls from Annex A (e.g., examples of what you should consider when developing a backup or password policy)
- ISO 27005 provides guidance on how to implement information security risk assessment and risk treatment (steps and practices to be considered)
Please note that the main difference is that ISO documents cannot be directly used to protect information (they are elements of a framework). You have to use them to develop the policies, procedures, and records that your organization needs to protect information (the elements of a system).
Please note that businesses have different organizational structures, so your focus shouldn't be on departments, but on roles and responsibilities.
Considering that, for ISO 27032 (Guidelines for cybersecurity), the roles responsible for information security, network security, internet security, and critical infrastructure should be trained (normally these roles are in the department which handles Information and Communication Technologies).
About ISO 27035 (Information security incident management), the above-mentioned roles, now including roles responsible for legal compliance also should be included.
For further information, see:
- Using ITIL to implement ISO 27001 incident management https://advisera.com/27001academy/blog/2015/11/10/using-itil-to-implement-iso-27001-incident-management/t/
Comment as guest or Sign in
Oct 05, 2020