BIZOPS-30 Information Security Management System

What is this control about?

This control is a requirement for any ISO program and asks for a high-level documentation that explains how the organization addresses the ISO requirements. The high-level documentation should include all the relevant section of the ISO program in question and document how each are addressed and implemented. This is heavy documentation.

When it comes to the ISMS program, it is based on the ISO/IEC 27001 standard, which provides a structured approach to information security management. ISO 27001 is a systematic framework for developing, implementing, maintaining, and continually improving the organization’s information security policies, procedures, and controls, as such the ISMS documentation should  provides direction and guidance for the development, implementation, maintenance, and continual improvement of an organization’s information security management system.

Available tools in the marketplace

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Refer to template available in the Helpful Resources section

Control implementation

Every company pursuing an ISO audit should document how they are addressing and complying with each requirement. The template provided covers all the required topics, but as a minimum, the meeting should address:

1. Purpose and Scope: This section outlines the purpose and scope of the ISMS policy and identifies the information assets that are covered by the policy.
2. Objectives: This section outlines the organization’s information security objectives, which should be aligned with the organization’s overall business objectives.
3. Roles and Responsibilities: This section outlines the roles and responsibilities of the individuals and departments that are responsible for implementing and maintaining the ISMS.
4. Risk Management: This section outlines the organization’s approach to identifying, assessing, and managing information security risks.
5. Security Controls: This section outlines the security controls that the organization will implement to protect its information assets and ensure the confidentiality, integrity, and availability of its information.
6. Incident Management: This section outlines the organization’s approach to managing information security incidents, including how incidents will be reported, investigated, and resolved.
7. Compliance: This section outlines the organization’s approach to complying with relevant laws, regulations, and industry standards related to information security.
8. Continual Improvement: This section outlines the organization’s approach to continually improving its information security management system.

The ISMS policy should be developed with input from senior management and should be communicated to all employees and stakeholders who are responsible for implementing and maintaining the ISMS.

The policy should be regularly reviewed (at least yearly) and updated to ensure that it remains relevant and effective in addressing the organization’s information security risks and requirements.

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Most recently updated ISMS policy

Evidence example

From the suggested action above, an example is provided below.

• Most recently updated ISMS policy

Refer to template available in the Helpful Resources section and the completed version of the template will suffice as evidence.