An Information Security Management System (ISMS) is a set of policies concerned with information security management of IT related risks, a concept that arose out of British Standard 7799. The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes, and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.
We work with clients to ensure, as with all management processes, that an ISMS is developed that remains effective and efficient in the long term, adapting to changes in the internal organization and external environment. The ISMS designed, built, and operationalized for the client is built according to the ISO/IEC 27001 standard using a Plan, Do, Check, Act (PDCA) model or the Six Sigma DMAIC (Define, Measure, Analyze, Improve, and Control).
Deconstructing the different risk assessment models that can be used in performing IT risk assessments.
The fact is, information security is a management issue, not purely technical. Our clients should expect to devote approximately 1/3 of their time addressing technical aspects of the ISMS and the remaining 2/3 spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness.
ISO/IEC 27001 is an internationally recognized best practice framework for an information security management system. It helps our clients identify the risks to their important information and puts in place the appropriate controls to help reduce the risk to an acceptable level to the business.
The benefits of an ISMS in place in our clients organization’s include:
Our certified ISO 27001 Lead Auditors design, build, test, and implement ISO 27001 compliant ISMS programs for our clients that results in:
Brier & Thorn’s Risk, Audit, and Compliance (RAC) practice are BSI Certified ISO 27001 Lead Auditors who have developed and operationalized a fast-track method for building, implementing, and operating an Information Security Management System (ISMS) for its clients. The ISMS Program Development service is managed by our Program Management Office who will assign a PMO to our client for the duration of the project. The project will be divided into phases according to best practices for project management combining the PMBOK (Project Management Body of Knowledge), Six Sigma, and PRINCE 2 methodologies defined below in the following stages:
Brier & Thorn’s advisors will work with our client and ISMS stakeholders who have already been identified to establish and start the project. In this phase, we will develop a project plan, work breakdown structure (WBS), project schedule, project initiation documents, and put actions in place to secure key resources. The outputs to this phase include a list of ISMS parties and legal, regulatory, and contractual requirements of our client.
In this phase, we start the work involved with creating the ISMS deliverables, which includes using the project strategy, business case, and initiation documentation as the start point. The team will then work with stakeholders to develop the designs of the project deliverables. Templates are designed of the ISMS framework, ISMS policy, and ISMS procedure documents.
Development and Testing
With all of the planning and designing complete, our advisors will then begin to develop the actual ISMS framework and ancillary documents. In this phase, the asset register will be developed along with the risk assessment, risk treatment, and internal audit activities. The deliverables in this phase include the policies, procedures, risk acceptance, and risk treatment plans and reports, as well as an acceptance of all residual risks to the business.
We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.
Badger Meter strengthens IT security by retaining Brier & Thorn to build new ISMS, later receiving ISO 27001 certification and SOC 2 attestation.
In its recent divestiture from Expert Global Systems, Transworld Systems Inc retains Brier & Thorn to build new ISMS, create new cardholder data environment, and perform threat management services to help the company demonstrate PCI-DSS 3.1 compliance as well as move towards ISO 27001 certification and SOC 2 compliance.