Nu de puține ori se întimplă ca discuțiile legate de SMSI/ISMS să se limiteze la 2-3 standarde: ISO 27001/27002/27005.

Abordarea practică ar trebui să fie însă ceva mai complexă pentru că trebuie să lucrăm cu o familie de standarde:

The ISMS family of standards is intended to assist organizations of all types and sizes to implement and operate an ISMS. (Sursa: ISO 27001:2014)

Așadar ar trebui să avem în vedere:

• ISO/IEC 27000, Information security management systems — Overview and vocabulary
• ISO/IEC 27001, Information security management systems — Requirements
• ISO/IEC 27002, Code of practice for information security controls
• ISO/IEC 27003, Information security management system implementation guidance
• ISO/IEC 27004, Information security management — Measurement
• ISO/IEC 27005, Information security risk management
• ISO/IEC 27010, Information security management for inter-sector and inter-organizational communications
• ISO/IEC 27011, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
• ISO/IEC 27013, Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
• ISO/IEC 27014, Governance of information security
• ISO/IEC TR 27015, Information security management guidelines for financial services
• ISO/IEC TR 27016, Information security management — Organizational economics

  NOTE The general title „Information technology — Security techniques” indicates that these standards were prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.

Încă două definiții:

• control – measure that is modifying risk(2.68)[SOURCE: ISO Guide 73:2009]
  

Note 1 to entry: Controls include any process, policy, device, practice, or other actions which modify risk.

Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.

• control objective -statement describing what is to be achieved as a result of implementing controls(2.16)
  

Așa stînd lucrurile, controalele nu se pot limita doar la ‘hîrtii’/proceduri/politici. Degeaba vei avea procedură/politică pentru clasificarea informațiilor (control) dacă nu vei avea cel puțin DLP prin care să asiguri atingerea obiectivului controlului! În general poți să ai topuri întregi de proceduri. Fără controale tehnice (DLP, SIEM, filtrare web/mail, end point control etc.) nu va exista nici un SMSI.

Information security is achieved through the implementation of an applicable set of controls, selected through the chosen risk management process and managed using an ISMS, including policies, processes, procedures, organizational structures, software and hardware to protect the identified information assets. These controls need to be specified, implemented, monitored, reviewed and improved where necessary, to ensure that the specific information security and business objectives of the organization are met.