Governance
Organisational governance is defined as “a system by which an organisation makes and implements decisions in pursuit of its objectives.” Organisational governance is achieved by a mix of standards, rules, processes, practices, and technology platforms that support maturity in governance.
In view of enhanced role of ICT for achieving the business mission and objectives, governance of IT and information security are considered as a subset or domain of organisational (entity) governance. Definitions of governance in specific context of IT and Information security are provided in ISO/IEC 26000, ISO/IEC 38500:2015 and ISO/IEC 27014:2020.
Governance of Enterprise IT (ISO/IEC 38500:2015) deals with resources required to acquire, process, store and disseminate information.
Enterprise Information Security Governance (ISO/IEC 27014:2020) deals with assurance of information confidentiality, integrity and availability and effective communication of the same with various external stakeholders.
Governance of Enterprise IT
A model for good governance of IT shall assist those at the highest level of the entities to understand and fulfil their legal, regulatory and other obligations in respect of their entity’s use of IT. Further it assists governing bodies to ensure that the use of IT contributes positively to the performance of the organisation. Governing bodies should exercise their authority to ensure that their organisations follow a well-defined and suitable model for governance of IT, based on global best practices, to ensure that the risks arising from the use of IT can be managed and opportunities can be exploited.
ISO/IEC 38500:2015 describes the principles and practices for good governance of IT and provides a baseline for each entity to develop their own model. The six core principles are:
Establish responsibility.
Define strategy for IT to support business.
Make acquisitions as appropriate.
Ensure performance.
Ensure conformance.
Achieve appropriate human behaviour.
Further, three main practices through which the governing bodies can continuously evolve governance of IT are:
Evaluate the current and future use of IT in the context of the business need.
Direct preparation and implementation of strategies and policies to ensure that use of IT meets business objectives.
Monitor performance against the strategies particularly regarding their business objectives and conformance to external obligations and internal work practices.
Governance of information security ensure effective implementation of information security controls and provides the following assurance:
The framework for governance of information security will assist the governing body to make decisions concerning the strategic objectives for the organisation. It further provides information about information security that can affect these strategic objectives. It also ensures that information security strategy aligns with the overall objectives of the entity.
ISO/IEC 27014:2020 defines six objectives for information security governance that provide a baseline for overall direction and control by the governing bodies and the top management. The detailed description of each objective and process is given in the ISO document. The practical application of each objective within an entity is briefly described below:
Objective 1 calls for the establishment of an integrated comprehensive entity-wide information security framework. In practice, this would generally be addressed as under:
Organisations should define and document an enterprise level context for their Information Security Management System (ISMS). Further, the context, scope, external elements etc. of each of their individual ISMS implementations (business-unit or site-based) should flow from and be fully aligned with the enterprise context.
Organisations should define and document an enterprise level ISMS objective and policy. The ISMS policies of each of the individual ISMS implementations should be aligned with the enterprise context.
An enterprise level approach would provide the following benefits:
Governing bodies and top management can evaluate, direct, and monitor that information security is consistent across the enterprise.
Regulators and national nodal agencies can validate that the policy directives and regulatory guidelines provided to the regulated and critical sector entities are incorporated into the enterprise level ISMS framework, which further gets applied uniformly into all the ISMS implementations in the entities.
Auditors can easily assess and verify whether all the mandated policies have been incorporated in each of the ISMSs audited by them.
2. Make decisions using a risk-based approach
Objective 2 calls for using a risk-based approach for decisions. A risk-based approach is recognised world-wide as an effective mechanism for inter-se prioritisation of the following:
Investment in protection functions that includes business continuity.
Allocation and use of resources.
Work related to tracking and monitoring functions.
Incident response and crisis management activities.
In general, risk is a function of impact and likelihood. However, entities may decide that the potential impact of some of the disruptions are so devastating that they have the highest risk even if their likelihood is very low. In all other cases, risk reflects the organisation’s ability to accomplish its assigned mission, protect its assets, fulfil its legal responsibilities, maintain its day-to-day functions, and protect individuals.
Regulated and critical sector entities would benefit from using the ISO, IEC, NIST and other well-known standards to design, develop and implement risk management system within their organisations. A risk-based approach helps entities correctly identify all the controls that are applicable in their ISMSs. An enterprise level approach to risk management would provide the following benefits:
Governing bodies and top management can evaluate the information security risks with the use of IT to achieve business objectives and further incorporate them into the enterprise level ISMS framework. This will help them direct and monitor the individual ISMSs effectively.
Regulators and national nodal agencies can validate that all the additional controls prescribed by them are consolidated into the enterprise level ISMS framework, which further gets applied uniformly into all the ISMS implementations in the entities.
Cybersecurity auditors can use the comprehensively defined Statement of Applicability (SoA) to verify that all risks have been considered for their technical audit.
3. Set the direction of acquisition
Objective 3 calls for setting the direction of acquisition of IT, OT, and Information Security capabilities in a comprehensive and consistent manner.
The enterprise level risk assessment carried out as part of Objective 2 will help in the prioritisation of investments and allocation of resources. The Information Security Steering Committees (ISSC) of critical sector entities can provide right guidance to the top management when there is a common understanding of risk.
Objective 4 calls for ensuring conformance with internal and external requirements.
One of the objectives of regulators and national bodies is to standardise information security management and its audit across various entities, particularly the critical sector entities. A common approach and methodology of audit of IT Security can be achieved through the guidelines given in various national / international standards.
Entities should evaluate and adopt an internationally accepted methodology for audit of the implemented IT and Information Security Management System at agreed frequency and scope (this frequency and scope should be compliant with the minimum baseline promulgated vide various rules and regulations). The audit scope, audit objective, audit criteria and the competency of the auditors should be such that it provides adequate assurance to the stakeholders on the objectivity and impartiality of the results. The results of the audit are to be reviewed at an appropriate level in the entity / controller / regulator. The causal analysis and corrective action plan for any non-conformities observed in the audit are also to be reviewed and tracked for acceptable closure.
5. Foster a security-positive culture
Objective 5 calls for fostering a security-positive culture, which is largely a people-driven activity. This requires the top management to focus on building a positive information security culture within the entity through security education, training and awareness programs and integrating the information security responsibilities into the roles of employees and managers.
Objective 6 calls for ensuring that the security performance meets current and future requirements of the entity.
A data-driven analytical approach for security performance monitoring and measurement would be highly beneficial for entities. This approach requires entities to identify and use software applications and automation platforms for data acquisition, evidence collection and analysis of both IT and information security performance. The acquired measurement data would help the internal, external, and special audit teams to review and assess the information security processes and activities.
National nodal agencies can further evolve platforms and processes for machine-processing of data from different entities to carry out sectoral and cross-sectoral analysis of audit compliance, audit effectiveness and grading of auditors.
The governing bodies and the top management may apply following four main processes repetitively to achieve the above objectives:
Evaluate
Direct
Monitor
Communicate
Essential Top Level Management Governance Functions
The key processes for governance of Enterprise IT and Information Security are depicted in the pictorial below.
A harmonised view of the governance functions are covered here.
Summary
The governance frameworks provide the core principles, objectives and processes in IT and Information Security for the governing bodies and top management to implement effective governance in their respective business context. The focus of governance of IT is on managing resources to acquire, process, store and disseminate information (this may include OT and IIoT). This functionality is complemented by the governance of Information Security, which focuses on confidentiality, integrity, and availability of information (including the safety of OT and IIoT).
The governing bodies and top management of all regulated and critical sector entities are accountable for the Governance of Enterprise IT and Information Security. They have the responsibility to evaluate and direct the specific actions required to implement the principles within their organisations and monitor their efficacy. In short, Governance of Enterprise IT and Information Security are board-level agendas.
Communication is an important Information Security governance process since it enables entities to be held accountable to interested parties. As part of this function, the critical sector entities must maintain continuous information flow with the national nodal agencies and the sectoral regulators. This communication is necessary for the national nodal agencies to evaluate the effectiveness of their risk management and information security management. The entities are also required by law to report information security incidents to appropriate national nodal agencies and regulators, as applicable.
Assurance aspect is overseen by the sectoral regulators and the national nodal agencies bodies, who exercise their authority to audit the regulated and critical sector entities for compliance to law, regulation and directives issued by them.
It is also important to recognise that, while the authority for specific aspects of IT and Information Security may be delegated to managers within the organisations, the accountability for effective, efficient, and acceptable use of IT and Information Security within the entity and all its organisations remains with the governing body and top management in case of CSEs. This responsibility and accountability cannot be delegated.
The governance of enterprise IT and information security in the internal context (within the jurisdiction of the entity) is fairly straightforward. All entities typically implement their IT, OT and IS infrastructure to align with their business functions. The operational structure is usually in the form of business units, departments, sites/ branches, and locations. The organisational structure is closely aligned with the operational structure in the form of a governing body or board, top or executive management, senior, middle-level, and lower-level management.
Subsections of Governance
ISMS Design, Implementation and Operation
Overview and Purpose
All organisations recognise the need to protect their business functions, capabilities and processes from being disrupted or compromised. It requires the resilience to be built into the governance, business, technology and physical levels. Organisations use mechanisms like information security management systems (ISMS), incident response (IR), business continuity management systems (BCMS) and cyber crisis management plans (CCMP) to implement and manage the required resilience.
Information Security Management System (ISMS) is a generic term to describe the practice of protecting an organisation’s business functions from disruptions and compromise, and to ensure compliance to laws and regulation. Critical sector entities with notified CII/ Protected Systems are mandated under IT (NCIIPC) Rules, 2018, to setup and operate an ISMS in their organisations.
All the business functions and processes run on an underlying information infrastructure. An ISMS can assure the resilience of an organisation’s information infrastructure.
Organisations have an option to design, implement and operate their own custom-built ISMS. However, most organisations implement their ISMS based on published standards like IS/ISO/IEC 27001 or QCI CSMS Level 1. The latter option gives them the benefit of independent third-party certification by an accredited Certification Body (CB).
Tip
It is advisable for an organisation to start its ISMS journey with a custom-designed, standards-agnostic ISMS. This approach will trigger a deep application of mind on the governance, business and technical objectives and the desired outcomes from the ISMS without being constrained by any specific framework. If required, Section 4 of ISO 27003 can be used for basic guidance and direction. Once the standards-agnostic ISMS design is accepted by the governing body and the top management, the ISMS implementation team can work on using an appropriate standard for implementation.
Information Security Management Systems (ISMS) design, implementation and operation refers to the approach that organisations must adopt to protect their IT, OT and IIoT information infrastructure and keep them resilient against cyberattacks. The practice involves identifying risks to the information infrastructure of the organisation, designing policies and controls to mitigate and manage these risks, and implementing the same within the organisation.
A crucial part of this practice is about regular reviews and updates to keep up with evolving security threats. Consistent review and improvement of an organisation’s ISMS practice not only secures the information infrastructure but also supports the organisations’ regulatory compliance and business continuity.
ISMS Governance
Governing bodies and top management of entities must direct the ISMS to be based on organisational reqirements and have an entity-wide perspective. They have the responsibility to evaluate the requirement of one or more ISMSs to support the information security objectives of the entity. Section 5 of ISO 27003 provides guidance for leadership functions. Section 6 of ISO 27003 and ISO 27005 provide guidance for risk related functions. Section 7 of ISO 27003 provides guidance on providing resources for implementation and operation of ISMS.
The governing body should undertake the following with due diligence for the success of ISMS:
Mandatorily define and document an enterprise-level context for ISMS in their organisations.
Approve the creation of ISMS.
Mandatorily define and document an enterprise-level ISMS objective and policy. It should provide directions to each ISMS implementation in the organisation to align it with the enterprise context.
All policy and regulatory directions received from and national nodal bodies and the regulators should be incorporated into the enterprise-level ISMS policy. This will help auditors assess whether all the policies have been incorporated.
Take decisions on acceptable levels of residual risk or appropriate risk treatments.
Provide each ISMS with communication channels and authority to inform interested parties and all persons in the scope of that ISMS.
Plans to obtain ISMS certifications must be formulated at the enterprise level. Obtaining certifications for individual sites, without having an entity-wide plan will be inefficient and ineffective because the individual ISMSs would not be aligned with the entity’s information security objectives, policies and processes and risk management.
The governing bodies and top management of entities must also monitor the performance and effectiveness of the ISMS during the operational stage to keep it aligned with the organisation’s objectives.
ISMS based on ISO 27001:2022 or NCIIPC-QCI Cybersecurity Management System (CSMS) Level 1 Scheme offer significant benefits in terms of documentation and guidance. The ISO 27000 series documents provide comprehensive information for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS. These documents can also be used for establishing an ISMS even when an organisation does not want the ISO certification.
Note
The NCIIPC-QCI Cybersecurity Management System (CSMS) Level 1 Scheme encompasses ISO 27001 certification.
| ISO 27000 Series | |
|---|
| ISO 27001 | ISMS Requirements - Details the actual requirements for organizations to comply with the ISO 27000 standards. |
| ISO 27002 | ISMS controls - Builds on ISO 27001 by providing a description of the various controls that can be utilized to meet the requirements of ISO 27001. |
| ISO 27003 | Guidelines for implementing an ISMS involve securing project approval, defining scope, conducting analysis and risk assessment, and designing the ISMS framework. |
| ISO 27004 | ISMS Measurements - Outlines how an organization can monitor and measure security in relation to the ISO 27000 standards with metrics. |
| ISO 27005 | Risk Management - Defines the high-level risk management approach. |
| ISO 27006 | Guidelines for ISO 27000 accreditation bodies - Outlines the requirements for organizations that will measure ISO 27000 compliance for certification. |
Tip
ISMS practitioners should study the ISO 27000 series documents listed above and adopt them in a suitable manner into the ISMS design, implementation and operation.
ISMS Design
Some of the activities and tasks associated with ISMS design are given below:
- Scope Determination: Define the ISMS scope, ensuring it encompasses all assets, people, processes, and IT systems. The ISMS design and implementation team must understand the business functions and processes of the organisation and their interdependencies.
- Policy Development: Design comprehensive security policies that address the protection of information assets against various threats and establish security objectives.
- Roles Definition: Assign clear information security roles and responsibilities, ensuring accountability and proper oversight of the ISMS initiatives.
- Risk Management: Find, assess, and handle risks according to the set standards.
- Control Selection: Choose appropriate security controls from the relevant frameworks to mitigate identified risks.
- Control Implementation: Deploy security measures and practices in alignment with the established ISMS policy framework, supporting the organisation’s security strategy.
- Automation: Evaluate and select software applications and platforms for operating and managing the ISMS processes (documentation, risk, SoA mapping, evidence collection, compliance tracking etc).
- Employee Training and Awareness: Combine regular security awareness programs with skill enhancement training to educate employees about ISMS policies and improve their ability to contribute to the organisation’s security.
- Continuous Monitoring: Oversee the ongoing effectiveness of the ISMS and security controls, adapting to new threats and organisational changes.
- Regular Audits: Implement a schedule of internal and external audits to ensure continuous compliance with ISMS requirements and identify opportunities for improvement.
- Improvement Actions: Address non-conformities and areas of weakness identified during reviews and audits, closing gaps in the ISMS where necessary.
ISMS Implementation
Each ISMS must implement controls for information security risk treatment in accordance with the policies approved by the governing board / top management of the CSE. ISO 27003 provides explanation and guidance for implementing all requirements of ISO 27001.
Generic steps for implementing ISMS based on ISO 27001:2022 or NCIIPC-QCI Cybersecurity Management System (CSMS) Level 1 Scheme are given below:
- Set the scope of ISMS by defining what parts of the organisation’s information systems are intended to be protected. The scope typically includes the organisation’s business processes and locations that will be covered under ISMS.
- Establish and publish a top-level Information Security policy for the organisation. This will be further supported by subordinate policies.
- Set the Risk Assessment context as per the requirements stated in Clause 4 to Clause 10 of ISO 27001:2022. Use ISO 27005 and various other guidelines for risk assessment.
- Identify and evaluate risk as per Clause 6 and Clause 8 of ISO 27001:2022.
- Establish a Risk Acceptance Criteria (RAC) for the organisation, which should be approved by the top management of the organisation (Board or Board equivalent). The RAC will then be used as the basis for risk management (assessment, evaluation, and treatment).
- Set the risk acceptance threshold, based on the context of the organisation and the expectations of internal and external interested parties.
- Formulate the risk treatment plan in respect of the RAC by selecting appropriate controls from “Annex A of ISO 27001:2022”. Add supplementary and technical controls from external sources (e.g. guidelines and directives from Ministries, Regulators, NCIIPC, CERT-In, NSCS) and global good practices (e.g. PCI, CIS, Cloud Security Alliance) if they are considered necessary or suitable in the business context of the organisation. Use ISO 27002:2022 as a working guideline for meeting the requirements of ISO 27001:2022.
- Document all the applicable controls along with their point of application in a Statement of Applicability (SoA) document. Any control, if excluded, should be justified in the SoA and the same should also comply with the risk acceptance criteria.
- Implement the security controls given in the SoA on the information infrastructure. Typically, two-tier control deployment, viz primary control and supervisory control is adopted to mitigate the critical risks.
- Carry out an audit or inspection of the information infrastructure through CERT-In empanelled auditors, covering both process and technical deployment of controls, as per the guidelines issued by CERT-In and NSCS.
- Test the effectiveness of implementation and operation of cyber security technical controls through the mechanism of Vulnerability Assessment and Penetration Testing (VA & PT)
ISMS flowchart is pictorially represented below.
ISMS Operation
Organisations should adopt appropriate methods to continuously operate and evaluate the performance and effectiveness of the ISMS after its implementation and Go-Live. Reporting to the governing body and top management is essential to the success of ISMS.
IS/ISO/IEC TS 27008:2019 provides guidance on reviewing and assessing the implementation and operation of information security controls. It includes the technical assessment of information system controls and their compliance to criteria established by the organisation, law and regulation.
Another critical aspect of ISMS operation is to measure the outcomes delivered by it. ISO/IEC 27004 provides detailed guidelines for evaluating the information security performance and the effectiveness of an ISMS.
ISO/IEC 27001:2022, Clause 9.1 requires the organisation to evaluate the information security performance and the effectiveness of the ISMS. It requires the organisation to determine:
- what needs to be monitored and measured (systems, processes and activities).
- the methods for monitoring, measurement, analysis and evaluation.
- when the monitoring and measuring shall be performed.
- who shall monitor and measure.
- when the results from monitoring and measurement shall be analysed and evaluated.
- who shall analyse and evaluate these results.
The ISMS operation must generate output for various attributes of the implemented controls that can be used to measure the efficacy of the controls, such as:
- the degree to which a control reduces the likelihood of the occurrence of an event.
- the degree to which a control reduces the consequence of an event.
- the frequency of events that a control can cope with before failure.
- how long after the occurrence of an event does it take for the control to detect that the event has occurred.
Measurable data from systems and processes is generated continuously in the form of event logs, metrics, traces and audit trails. These measures must be collected and analysed as frequently as possible. However, the reporting of such measures may be scheduled as per the needs of the interested parties.
For example, while data on security incidents is collected continually, internal reporting to higher levels of management will depend on the defined polices, such as severity (possibly requiring immediate notification as in the case of a reportable breach) or aggregated values (as might be the case for attempted intrusions which were detected and blocked). Similarly, reporting of cybersecurity incidents to external interested parties like regulators, CERT-In, sectoral CERTs and NCIIPC, will be based on their respective directives.
ISO/IEC 27001:2022 also requires the organisation to retain appropriate documented information as evidence of the monitoring and measurement results.
Metrics
Some of the possible metrics for continual improvement of ISMS are listed below.
| Key Performance Indicators | Description |
|---|
| Number of Security Incidents | Count of unwanted events that could endanger the confidentiality, integrity, or availability of information. |
| Security Control Audit and Review Frequency | Measures the number of times security controls are reviewed and audited. |
| Audit Findings | The number of critical findings or unresolved issues from audits. |
| Delay in Scheduled Audits | Measures the percentage of scheduled audits and reviews that are not completed within their planned timeframes. |
| Number of Non-Compliance Issues | Track the number of identified non-compliance issues during the audit with legal and regulatory requirements |
| Effectiveness of Security Controls | Tracks the percentage of risks successfully prevented, detected, and mitigated. How well security measures prevent, detect, and mitigate risks |
| Policy Implementation Coverage | The percentage of critical assets covered by security policies. |
| Number of outdated Policies | Number of policies that are not updated to reflect current threats. |
| Number of Improvements Identified | Measures the number of policies, processes or controls identified for improvement during ISMS activities or audits. |
| Number of Non-Conformities Identified | Measures the number of occasions on which the ISMS fails to meet the specified ISO 27001 requirements. |
| Percentage of Assets Covered under ISMS | Measures the proportion of the organization’s assets - people, processes, technology - that are protected by the implemented ISMS. |
| Frequency of ISMS Review | Tracks the number of ISMS being reviewed and updated. |
| Employee Training Completion Rates | Numbers of employees that have completed security awareness and training programs. |
| Security Awareness Level | Measures the percentage of employees understanding security protocols. |
Leveraging Automation
Given the scale and complexity of modern information infrastructures, automation is essential for monitoring the use and effectiveness of controls. There are many software platforms that can monitor the ISMS activities and generate reports for various levels of management. The software platforms also provide a record of ISMS activities that the audit teams can use as evidence. Work is also being done to create human and machine-readable formats such as the Open Security Controls Assessment Language (OSCAL) for automated management of ISMS controls.
Periodic inspection and audit of ISMS of CSEs is a time-consuming activity. The regulators and national bodies can also create platforms and processes for machine-processing of ISMS data from the CSEs, which will also help in sectoral and cross-sectoral analysis of audit compliance and non-compliance issues, audit effectiveness, grading of auditors etc.
ISMS Practice Owners
A sample matrix of responsibilities is given below.
| Activity | Primary Ownership | Collaborative Role |
|---|
| Establish and review the ISMS strategy. | ISSC | Information Security Team |
| Oversee the development of ISMS policies and procedures. | CISO | Information Security Team |
| Maintain the ISMS documentation and control mechanisms. | Information Security Team | - |
| Ensure ISMS compliance with legal and regulatory standards. | GRC Team | Legal Team |
| Implement controls, standards and guidelines emanating from the ISMS implementation and design programme. | IT/OT Ops Team | - |
| Conduct ISMS awareness and training programs. | HR Team | Information Security Team |
| Monitor and report on ISMS performance using KPIs/KRIs. | GRC Team | IT/OT Ops Team |
| Manage ISMS auditing and continual improvement. | Internal/External Audit Team | Information Security Team |
NCIIPC Guidelines
Important
These guidelines are taken from NCIIPC’s documentation of Nov 2024. CSEs must consult NCIIPC for the latest updates and further guidance.
Governance
- CSE shall design, develop, approve, and implement ISMS as part of the Information Security Policy to maintain confidentiality, integrity, and availability of the organisation’s information assets.
- CSE shall establish an Information Security Steering Committee responsible for providing direction, approving policies, and monitoring the ISMS effectiveness.
- CSE shall describe and assign information security roles and responsibilities based on the organization’s requirements.
- CSE shall appoint a senior management representative as the Chief Information Security Officer (CISO) to oversee the ISMS design, implementation, operation, and maintenance.
- CSE shall ensure that all individuals working in the organisation are aware of:
- the information security policy
- their part in improving the security system.
- the consequences of not following security policies
- CSEs shall establish clear channels for all information security related communications.
- CSE shall conduct reviews of the ISMS to ensure the effectiveness of the organization’s approach to managing cybersecurity and its implementation, at planned intervals or when significant changes occur.
- All employees shall be provided with information security awareness training and be held accountable for adhering to security policies and procedures.
- CSE should monitor the defined Key Performance Indicators (KPIs) to measure the effectiveness and efficiency of the ISMS design, implementation and operation.
Technical
- CSEs shall develop and implement an ISMS policy framework that includes related information security policies, procedures, and standards.
- While developing the ISMS, the CSE shall consider relevant factors, identify risks and opportunities, and focus on preventative measures and continuous improvement.
- CSE shall implement appropriate security controls based on identified risks, in alignment with ISO 27001 Annex A controls as well as other controls prescribed by regulators and nodal agencies.
- CSE shall maintain a Statement of Applicability (SoA) defining the controls applicable to the organisation.
- CSE shall identify and control external documents deemed necessary for the planning and operation of its information security management system.
- CSE shall review the ISMS design and implementation process at regular intervals and implement changes.
- CSE shall utilize appropriate technological, organizational, and physical safeguards to protect information assets.
- CSE shall ensure compliance with all applicable laws and regulations regarding information security and data privacy.
- CSE shall maintain a business continuity and disaster recovery plan to minimize disruption in the event of an incident.
- CSE shall design and execute an audit programme to assess the ISMS. This programme shall have a systematic approach and prioritise processes based on their significance and findings from previous audits.
- The auditing exercise shall provide documented information to verify the execution and effectiveness of the ISMS.
ISMS for Regulators
Besides the CSEs, the regulatory bodies would also benefit from establishing an ISMS, based on recognised standards. The ISMS would specifically help the regulators to:
- Control the collection, processing, distribution, and retention, of sensitive information to be processed by them for effective regulation in the sector.
- Understand the requirements of the ISMS established and audit the regulated entities on adherence to the requirements.
- Issue sector-specific requirements, guidelines, checklists, to address the variations and constraints relevant to the local processing requirements.
- Adopt audit tools and analysis engines, designed to standard requirements, for evaluation of the information security performance in the regulated entities.
ISMS for Agencies directing CSEs
Agencies directing and controlling the operations in the critical sector have a responsibility to lead the way. The controlling agency typically review the functioning of the CSEs and, if policies exist that hinder the achievement of business objectives, these policies are identified and reported for improvement. Such agencies will therefore have sensitive data of the critical sectors. It is therefore recommended that the agencies also implement an ISMS to protect the information being processed at various levels within the agencies. Establishment of an ISMS will help the agencies to:
- Control the collection, processing, distribution, and retention, of sensitive information to be processed by them for effective governance in the sector.
- Understand the requirements of the ISMS established, and issue relevant directions to the controlled entities, and supply-chain, on adherence to the requirements.
- Establish a centrally managed framework to identify, analyse, evaluate, and treat the information security risks prevalent in the sector.
- Get trust, recognition, and support from other stakeholders for information security governance in the sector.
- Respond to emerging information security threats and trends by centrally managing the information security incidents in the sector.
- Easily migrate to any upgrades and improvements in information security governance, based on international and industry best practices.