ISMS Model

Here is an ISMS model that can be used (click to enlarge).

Visio file available on demand.

Start with a Security officer that :

  • Improvement IT-governance (ITIL, COBIT)
  • Ensuring compliance (PCI, Sarbanes-Oxley, ISO/IEC 27001)
  • Definition and implementation of security policies
  • Implementation of security frameworks (ISO/IEC 27002, Standard of good practice)
  • Definition of roles and responsibilities for security within the organization
  • Training the organization in security related matters
  • Project management
  • Security architectures
  • Incident and response management
  • Crisis and continuity management
  • Recruitment of information security officers or other security specialists

1. Security Organization

  • Identify the scope of your security environment and split it in manageable entities
  • Develop the Information Security Management Policy
  • Assign security roles and responsibilities within the scoped environment so your security goals can be managed
  • Identify the skills required to properly execute the security responsibilities

2. Management Security Training (and support)

  • Teaching them security best practices and learn them how to approach specific security challenges
  • Share their yearlong experience
  • Training sessions customized specific to the organization’s needs and highly interactive to maximize training results

3. Asset Discovery


Information security is the protection of information assets and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.

Information Security Management concerns the design, implementation and maintenance of a coherent suite of controls to ensure the adequate protection of information systems.

4. Risk Evaluation


Risk is the threat or probability that an action or event, will adversely or beneficially affect an organization’s ability to achieve its objectives

Risk Management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events.

Identify Organization’s key risks such as:

  • (F) Financial and credit risk
  • (R) Regulatory risk
  • (O) Operational risk
  • (C) Confidentiality risk (reputation risk)
  • (I) Integrity
  • (A) Availability

5. Policy Development

Custom Developed Security Policies


Information security policies provide direction to an organization on how to protect the information in its care.

Information Security Policies translate an organization’s business objectives to control objectives so that information risks are reduced to an acceptable level.

Information Security Policies deliver consistency in the security organization resulting in effective and cost-efficient controls.

Custom made information security policies that take into account:

  • Business objectives
  • Judicial setting
  • Targeted acceptable risk level
  • Organizational culture
  • Industry best practices

A specific topic will be linked here. To do.

6. Security Assessment

Policy statements that are realistically achievable and pragmatic.
Information gathering occurs by means of

  • Interviews,
  • Workshops, and
  • Document reviews

7. Initial Security Baseline Definition

That is Improving an organization’s security postures.

The Baseline Security Assessment provides added value through

  • Evaluation of the security strategy inline with business objectives
  • Verification of the adequacy of security processes
  • Validation of the technical implementation of security devices

The Baseline Security Assessment helps planning for the future by increasing

  • Efficiency
  • Manageability
  • Scalability
  • and Business alignment

Security assessment against

  • ISO 27002 security best practices (but Goes beyond IT security and focuses on the protection of information assets)
  • Security Architecture Review
    • Assessment of the overall security setup within an organization
    • Analysis of network diagrams
    • Interview sessions with network and system engineers
    • Verification of the operation, monitoring, and management of the technical security infrastructure
    • Spot checks on critical security devices
  • Vulnerability Scan
    • Detection of security problems and incorrect configurations of networked devices
    • Automated scan with manual risk evaluation
    • Conducted from an attacker perspective
    • External Vulnerability Scan
      • Scan initiated from the Internet
      • Perimeter security devices active
    • Internal Vulnerability Scan
      • Scan initiated from within a security zone
      • Servers are tested without the protection of security devices

Consolidated Report and Management Presentation

Key steps of the security assessment

  • Interview sessions
    • With key business and IT personnel
      • CxO, Internal Audit, Human Resources, Legal Representative, etc.
      • IT management, Security office, Software development, System engineering, Datacenter manager, Database administration, Service desk, etc.
  • Open questions on:
    • Operational practices
    • Business objectives & strategy
    • Future Plans
  • Questionnaires for satellite offices
    • For local IT departments and the business liaisons
    • Custom made questionnaires
    • Closed questions on the implemented security practices
  • Site Visits
  • Evaluation of physical information security of key sites
  • Evaluation of datacenter environmental controls

The Baseline Security Assessment includes:

  • Kick-off meeting
  • Execution of the interviews
  • Development of the questionnaires
  • Analysis of the results
  • Report on the outcome of the analysis
  • Presentation of the report

8. Continuous Security Improvement

“Security is a Process”

Plan – Do – Check – Act

Continuous Management through well-defined processes with:

  • On-site supervision;
  • Deliverable at each stage providing guidance and direction;
  • Measured with security metrics developed specific for the environment;
  • Processes aligned with security best practices (ISO/IEC 27000, ITIL, CobIT, etc.)

9. Security Baseline Improvement

A dedication security baseline improvement process contains adjustment of security targets, following changes to:

  • Business processes
  • Risk Profile
  • Evolution in technology
  • New security architecture
  • ICT requirements

Definition of three security baselines:

  • Actual Security Baseline – “Where are we now?”
    • The state of security controls currently in place
  • Target Security Baseline – “Where do we want to be?”
    • Security controls that should be in place
    • Reference point to detect any defects
  • Improved Security Baseline – “The business evolved, thus so shall we!”
    • Setting new information security targets

Measuring effectiveness at the time required

  1. Validation of security controls through interview, recorded evidence and technical testing
  2. Predefined validation frequency (monthly, quarterly, annually)
  3. Compare yourself with the industry using information security best practices (ISO 27002)

Security Control Score = Relevance x Importance x (Effectiveness + Documentation)

Be the first to comment

Leave a Reply

Your email address will not be published.