Information Security Management is a defined level of security for information, IT services
and IT infrastructure, is also known as information assurance.
Information Security is not confined to computer systems, or to information in an electronic
or machine readable form. It applies to all aspects of safeguarding or protecting information
or data, in whatever form.
The aim of a coherent Information Security Management System (ISMS) is to ensure:
Confidentiality; Integrity; and Availability
Confidentiality; Integrity; and Availability
Information security is achieved by applying a suitable set of controls (policies, processes,
procedures, organizational structures, and software and hardware functions).
An organization needs to identify and manage many activities in order to function
effectively. Any activity using resources are managed in order to enable the transformation
of inputs into outputs can be considered to be a process. Often the output from one process
directly forms the input to the next process.
The application of a system of processes within an organization, together with the
identification and interactions of these processes, and their management, can be referred to
as a “process approach”.
The process approach for information security management presented in the International
Standard encourages its users to emphasize the importance of:
a) Understanding an organization’s information security requirements and
the need to establish policy and objectives for information security;
b) Implementing and operating controls to manage an organization's
information security risks in the context of the organization’s overall
business risks;
c) Monitoring and reviewing the performance and effectiveness of the ISMS;
d) Continual improvement based on objective measurement.