A Practical Implementation of ISMS

A. Asosheh, P. Hajinazari, H. Khodkari


Nowadays, access to reliable information has become an essential factor leading to success in business. In this regard, adequate security of information and systems that process it is critical to the operation of all organizations. Therefore organizations must understand and improve the current status of their information security in order to ensure business continuity and increase rate of return on investments. Since, information security has a very important role in supporting the activities of the organization and for this reason; it is needed to have a standard or benchmark which controls governance over information security. Hence, this paper discusses some of Information Security Management System (ISMS) standards in order to determine their strengths and challenges. Then, based on most appropriate standards in the field, a method is proposed to allow information technology-related or based enterprises to implement their ISMS. This method helps identifying critical assets and related threats and vulnerabilities, assessing assets risks and providing necessary risk treatment plans. The proposed method makes it possible and structured to establish information security management system in IT related large-scale enterprises.

Full Text:



Broderick, J. (2006). ISMS, security standards and security regulations. information security technical report 11(1).

COBIT. 3rd ed. Framework. (2000). ISACA. Information Security Management Systems International User Group.

Fiona, P. (2007). Certifying. Information Security. Management Systems. CISSP.

Fung, A., Farn, K. & Lin, A. (2003). A study on the certification of the information security management system. Computer Standards & Interfaces, 25(10), 447–61.

Hensel, V. & Lemke-rust, K. (2010). On an Integration of an Information Security Management System into an Enterprise Architecture. Dexa.

Hopkinson, J. (2001). Security standards overview. Proceedings of the Second Annual of International Systems Security Engineering Conference.

Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. information security technical report, 13, 255-74.

ISO/IEC 27001:2005. (2005). Information technology- security techniques- information security management systems- requirements. Geneva: International Organization for Standardization.

ISO/IEC 27002:2005. (2005). Information technology - Security techniques -Code of practice for information security management. Geneva: International Organization for Standardization.

ISO/IEC 27005:2011, (2011). Information technology - Security techniques - Information security- risk management.

Jacqueline, B. (2003). The BS 7799 / ISO 17799 Standard For a better approach to information security. White Paper CISSP, Callio Technologies.

Siponen, M. & Willison, R. (2009). Information security management standards: Problems and solutions. Information & Management, 46(5), 267-70.

Standard, B. S. I. (2005). 100-1: Information Security Management Systems (ISMS).

Susanto, H., Almunawar, M. & Tuan, Y. (2011). Information security management system standards: A comparative study of the big five. International Journal of Electrical & Computer Sciences IJECS-IJENS, 17(05), 76-83.


  • There are currently no refbacks.

E-ISSN: 2008-8310

   ISSN: 2008-8302