The Information Security Management System (ISMS – specification with guidance for use) enables the implementation of an efficient management system that is also oriented on the protection of information assets. The Information Security Management System is implemented so that the organization is able to assess risks and apply proper control and management mechanisms to maintain the confidentiality, integrity and availability of information. The primary goal is to protect the information assets of the organization to prevent information from getting to unauthorized persons or from being lost.
Today’s modern business is dependent on information technologies and systems. Besides business support, this also means that organizations are more vulnerable by the threat to their security. Information is an asset that like other important business assets has its value for the organization and must be protected in a suitable way. By identifying and classifying assets and evaluating their danger and vulnerability, every organization can select methods for the management of such risks to maintain the confidentiality, integrity and availability of information. This concerns the information of the respective involved parties such as in-house information, the information of clients, customers, suppliers, as well as shareholders, official authorities ,etc.
Certification in accordance with the ČSN EN ISO/IEC 27001 (based on an international standard focused on ISMS) is applicable in any organization, namely in all areas of production or provided services. The ČSN EN ISO/IEC 27001 standard is a standard with consistent process orientation and application of Deming’s “PDCA” principle. ISMS certification is objective evidence through which the owners and management of a certified organization confirm to their owners, employees, customers and other involved parties that they not only assume responsibility for information security, but also declare fulfillment of their commitment that applied principles in behavior and approach to information security are an integral part of business.
Today, certification in accordance with the ČSN EN ISO/IEC 27001 is essential in many fields of business. Certificates are required in business relationships and increase the trustworthiness of the organization. Fulfillment of the requirements of the ČSN EN ISO/IEC 27001 standard is also the basis for other management system certifications or for certain branch/professional certifications.
Information security and the ISO/IEC EN 27001 standard do not just apply to information technologies. Just as in quality management systems, environmental management systems or occupational health and safety systems, the information security management system includes management, policy, organization, as well as regular reviews. Demanding parts of the ISMS system include, for example, an analysis of the value of owned assets in the IT area, risk analysis in relation to information, information risk management, declaration of information security and other procedures.