ISMS based ISMS ISO/IEC 27001
BRS ISMS (Information Security Management System) provides security management system certification through an independent third-party assessment of competent
professionals. BRS ISMS requires that organization meet their legal obligations, regulatory requirements and contractual agreements, which provides for ISO / IEC 27001
takes the role as management tool for regulatory basis. BRS certification provides confidence to stakeholders that the security of information management practices and
methods are effective. Consideration needs be given to ISMS as follows;
Establishes the basis for implementation and the directive relevant to security and protection of information such that is concurrent with business objectives in promoting continual competence and actions
Organizational Security Requires implementation of the fundamentals to manage and control flow of
information under secure protocols within the organization's premises and outsourced activities.
Classification and Control of Assets
Identification, evaluation and assets risk assessment such that are controlled and protected to the magnitude of impact to the business activities
Security & Personnel Providing guidance and awareness on internal and external threats in support of the policy and technostructure
objectives assisting the continuity of business activities such that information flows into knowledge.
Access Control and Systems (Physical & Micro Environment) Controlling access of data and information such that the threat of intrusion is prevented, minimized or eliminated through network protection and
standardized practices in the physical or virtual realm. Protection control includes wireless communication /
technology on-site or remote. In the 2013 version organizations have freedom of choice in identifying, analyzing and controlling threats.
Computer & Network Management for Communications and Operations Given consideration to a normalized scheme to safeguard the integrity of information and data entered, retained and recoverable
throughout the network environment; including supporting maintenance activities to reduce system failures and plan for contingencies.
Controls for Accessing Establishing and maintaining the necessary controls to access and communicate information through a network (WI FI, LAN...).
Business Requirements for Controlling Access Information security requires controls allowing access to those needing and authorized to use system assets to information.
Development and Maintenance; Hardware, Software and Firmware Implementing security as an integral component of the organization's routine activities such that confidentiality and authenticity are inclusive
in support of the integrity of the information, which includes maintaining updates, patches and evaluation to preclude impact by discontinuance of technology.
Physical and Security Environment The physical security of the premises is an integral component of
successful information security strategy assisting in the achievement of the security policy such that minimizes
the impact to business continuance created by any breach in the physical or virtual environment.
Identify and establish responsibilities and provide awareness relevant to regulatory obligations and its implications and impact. (consider within the USA HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley Acts and
many others sectors and ruling specifics, and the national equivalents).
Business Continuity Management
Requires strategic planning, test, and reliable continuance of operations through a disaster recovery policy.
Further, Investigative Process is typically a three-step plan:
- Initial Analysis... investigation of causes and affects...
- Coordination... coordinate with the investigative team including those affected or potentially affecting... identify action(s)...
- Decision... implement mitigation and place back the affected system promptly... and acting on best viable preventive measures and implementation...