Information Security Management System (ISMS)
An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure. The ISMS represent a set of policies, procedures, and various other controls that set the information security rules in an organization.
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organisations, regardless of type, size or nature.
ISO/IEC 27001 requires that management:
- Systematically examine the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts.
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
- Adopt an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs on an ongoing basis.
Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed.Using our systematic approach, we provide consultancy for assessment and pragmatic implementation of an ISMS to guide organisations into compliance and certification with the ISO27001 information security management standard.
BNM’s Risk Management in Information Technology
The financial services industry is a significant target for cyber threats—arising from both insiders and from external sources. The severity and urgency of this cyber risk warrants certain minimum cyber risk management standards be met by all regulated entities.The Malaysian Risk Management in Technology (RMiT) is a framework constructed by Bank Negara Malaysia to help combat the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors. This regulation is designed to:
- Promote the protection of customer information
- Promote the protection of information technology systems of regulated entities
- Require each affected company to assess its specific risk profile
- Design a program that addresses cyber risks in a robust fashion
- Certify compliance with these regulations by senior management
Now that the RMiT is in force, it’s imperative for affected organizations to understand the requirements and how to comply with them.