Introduction
The foundation for good governance is a proper management system. When it comes to the management of information security and privacy the scope, execution and resources depend on the size of the organization and the information and other related assets involved. However, such management systems must always cover certain basics and collect information about what is done.
The information security and privacy management system (the management system) needs to take into account the assets that are intended to be protected, the methods that the organization uses for risk management, the objectives of control and control activities and the level of security that is required. The goal is for the management system to be efficient and effective. This is achieved by including only the necessary actions and using methods that are appropriate for the organization while avoiding over-management and waste of value. It should be part of the organization's overall management system.
Security and privacy are about both technical and organizational topics. Security and privacy management is not something that is done once but is an ongoing process. If security and privacy matters are taken care of, it is good for the business. No business can succeed in the current operating environment without addressing both. And the fact is that well-thought-out control measures applied correctly will make a positive contribution to the operation but will not primarily be an increase in costs.
Content of IPMF
The Information Security and Privacy Management Framework (IPMF/the Framework) describes how the organization manage the Information Security and Privacy Management System. It covers thus both requirements for Information Security Management System (ISMS) in Clauses 4 to 10 in ISO/IEC 27001:2022 and for Privacy Information Management System in Clause 5 of ISO/IEC 27701:2019 as revised in ISO/IEC DIS 27701.
The Framework documents the requirements stated in each document. Starting with internal and external issues and ending with non-conformities and corrective actions. In the requirements for the management system there are 48 references to items that have to be determined and/or documented. What has not been documented does not exist and can thus not be audited, is the old mantra of internal auditors and that applies to ISMS/PIMS as to bookkeeping. So every single item has to be documented, some times with short text but on many occasions in external documents with, for example, detailed processes and procedures.
Below is a typical table of content of a Framework document that SECPRICO provides to its customers. In many case a section is just a place to refer to document(s) that fall under the topic of the section.
0. Terms and abbreviations
1. Introduction
1.1. The Management Framework
1.2. The Organization IPMF
1.3. The Organization ISMS
1.4. The Organization PIMS
1.5. Documented Information
2. Context
2.1. Certification Scope
2.2. External and Internal Context and Issues
2.2.1. External Context and Issues
2.2.2. Internal Context and Issues
2.3. Needs and expectations of Interested Parties Relevant to the ISMS and PIMS..
2.4. External Interested Parties and Their Needs
2.4.1. Customers
2.4.2. Local Legal Interested party (Laws & Regulations)
2.4.3. Suppliers
2.5. Internal Interested Parties & Their Needs
2.5.1. Management – Decision Maker – Risk Owners – Legal - Personnel
2.5.2. Information Security and Privacy Team
2.5.3. Other interested party (Human Resource)
2.6. Local Laws & Regulations
2.7. Objectives & Plans to achieve them
2.8. Dependencies
2.8.1. Risks & Issues
2.8.2. Arrangements with other organizations
3. Scope of the Management System
3.1. Scope
3.1.1. Information Security Management System
3.1.2. Privacy Information Management system
3.2. Teams in scope
3.3. Other Organizations
4. Organization of the Management System
4.1. Roles
4.1.1. Roles of the ISMS
4.1.2. Roles of the PIMS
4.2. Competencies
4.2.1. Competencies of the ISMS
4.2.2. Competencies of the PIMS
4.3. Training
4.4. Awareness
4.5. Communications
4.5.1. Internal
4.5.2. External
5. Operations of the Management System
5.1. Status of Business Impact Analysis
5.2. Status of Information Security Risk Assessment (ISRA) & Treatment
5.3. Status of Privacy Impact Assessment & Treatment
5.4. Statement of Applicability (SoA)
5.5. Status of Corrective Actions
5.6. Status of Changes
6. Performance of the Management System
6.1. Performance Measurement Plan
6.1.1. Key metrics to Measure & Report
6.1.2. Internal Audit
6.1.3. External Audit
6.1.4. Management Review
7. Corrective Action and Improvements
7.1. Continual Improvements
7.2. Corrective Actions
8. Appendices
8.1. Appendix #1 Organization Presentation Certificate
8.2. Appendix #2 Organization Additional Management System Process / Procedures
Each organization have their own needs depending on so many things, including size, structure and scope of the management system.
Key documents for the management system need to be referred to from the Framework (or part of the Framework document), including but not limited to the following:
Information Security and Privacy Policy (might be separate policies)
Risk Management Framework and/or Risk Assessment Procedures (what ever approach is used), Risk Assessment Report, Privacy Impact Assessment Report, Business Impact Assessment Report
Internal Audit and Management Review Porcedures and Reports
Statement of Accountability (SoA)
Security and Privacy Manual(s), Guidelines, Procedures, Processes and Standards
Have in mind that more documents are associated with the controls that are applicable for the management system and are listed in the SoA document.
For more information send email to security@internet.is or contact Marino G. Njalsson on LinkedIn