Information Security Management System ‐ A process approach
By Anil Chiplunkar, CISM, CFE, CFAP, LA ISO27001
Majority of the organizations had considered the term ‘Information Security’ being equivalent to ‘Information Technology (IT) security’ and thus the focus of securing ‘information’ is oriented towards ‘protection of data’ stored on devices like servers, desktops, laptops, CDs, Tapes etc. When the organizations started using Internet, the security was provided using the devices like firewall, intrusion detection systems etc. From the tools or applications perspective, the most basic security application used was (is) Anti Virus. Today also there are many organizations which procure and implement (could be even a standard implementation) the perimeter security devices and applications and have the ‘feel secure’ factor. Although IT is playing a major business enabler role in most of the modern organizations, the scope of ‘information security’ does not necessarily is limited to IT but it is the ‘entire organization’; as the ‘information’ is practically everywhere and with everybody in the organization. It is necessary to understand the terms ‘information’ and ‘information security’ in the broader terms as well as their implications at micro‐level.
Definition of ‘information’ varies as per individuals or organizations. Various definitions equate information to data, knowledge, coordinated data, meaningful data etc. These are definitely the components of ‘information’, but in true sense the term information has a wider meaning. To have a broad, all encompassing and globally accepted definition of these terms, an international standard is referred. Following are the definitions produced from the international standard ISO27001, which is the ...