An information security management system (ISMS) is a set of policies concerned with information security management. Security Information and Event Management (SIEM) technologies play a vital role in addressing the security, compliance and efficiency needs of an enterprise. information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. This is especially important in the increasingly interconnected business environment.
ISO/IEC 27001:27005 contains best practices of control objectives and controls in the following areas of information security management:
- Risk assessment
- Security policy – management direction
- Organization of information security – governance of information security
- Asset management – inventory and classification of information assets
- Human resources security – security aspects for employees joining, moving and leaving an organization
- Physical and environmental security – protection of the computer facilities
- Communications and operations management – management of technical security controls in systems and networks
- Access control – restriction of access rights to networks, systems, applications, functions and data
- Information systems acquisition, development and maintenance – building security into applications
- Information security incident management – anticipating and responding appropriately to information security breaches
- Business continuity management – protecting, maintaining and recovering business-critical processes and systems
- Compliance – ensuring conformance with information security policies, standards, laws and regulations
ISO/IEC 27001 is a standard for information security that focuses on an organization’s Information Security Management System (ISMS). Other standards for information security are much more specific and have a different focus.
ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management.
The purpose of ISO/IEC 27004 is to help organizations measure, report and hence systematically improve the effectiveness of their Information Security Management Systems (ISMS).