Information Security Management System (ISMS)

ISMS Design, Implementation and Operation

Overview and Purpose

All organisations recognise the need to protect their business functions, capabilities and processes from being disrupted or compromised. It requires the resilience to be built into the governance, business, technology and physical levels. Organisations use mechanisms like information security management systems (ISMS), incident response (IR), business continuity management systems (BCMS) and cyber crisis management plans (CCMP) to implement and manage the required resilience.

Information Security Management System (ISMS) is a generic term to describe the practice of protecting an organisation’s business functions from disruptions and compromise, and to ensure compliance to laws and regulation. Critical sector entities with notified CII/ Protected Systems are mandated under IT (NCIIPC) Rules, 2018, to setup and operate an ISMS in their organisations.

All the business functions and processes run on an underlying information infrastructure. An ISMS can assure the resilience of an organisation’s information infrastructure.

Organisations have an option to design, implement and operate their own custom-built ISMS. However, most organisations implement their ISMS based on published standards like IS/ISO/IEC 27001 or QCI CSMS Level 1. The latter option gives them the benefit of independent third-party certification by an accredited Certification Body (CB).

Tip

It is advisable for an organisation to start its ISMS journey with a custom-designed, standards-agnostic ISMS. This approach will trigger a deep application of mind on the governance, business and technical objectives and the desired outcomes from the ISMS without being constrained by any specific framework. If required, Section 4 of ISO 27003 can be used for basic guidance and direction. Once the standards-agnostic ISMS design is accepted by the governing body and the top management, the ISMS implementation team can work on using an appropriate standard for implementation.

Information Security Management Systems (ISMS) design, implementation and operation refers to the approach that organisations must adopt to protect their IT, OT and IIoT information infrastructure and keep them resilient against cyberattacks. The practice involves identifying risks to the information infrastructure of the organisation, designing policies and controls to mitigate and manage these risks, and implementing the same within the organisation.

A crucial part of this practice is about regular reviews and updates to keep up with evolving security threats. Consistent review and improvement of an organisation’s ISMS practice not only secures the information infrastructure but also supports the organisations’ regulatory compliance and business continuity.

ISMS Governance

Governing bodies and top management of entities must direct the ISMS to be based on organisational reqirements and have an entity-wide perspective. They have the responsibility to evaluate the requirement of one or more ISMSs to support the information security objectives of the entity. Section 5 of ISO 27003 provides guidance for leadership functions. Section 6 of ISO 27003 and ISO 27005 provide guidance for risk related functions. Section 7 of ISO 27003 provides guidance on providing resources for implementation and operation of ISMS.

The governing body should undertake the following with due diligence for the success of ISMS:

Mandatorily define and document an enterprise-level context for ISMS in their organisations.
Approve the creation of ISMS.
Mandatorily define and document an enterprise-level ISMS objective and policy. It should provide directions to each ISMS implementation in the organisation to align it with the enterprise context.
All policy and regulatory directions received from and national nodal bodies and the regulators should be incorporated into the enterprise-level ISMS policy. This will help auditors assess whether all the policies have been incorporated.
Take decisions on acceptable levels of residual risk or appropriate risk treatments.
Provide each ISMS with communication channels and authority to inform interested parties and all persons in the scope of that ISMS.

Plans to obtain ISMS certifications must be formulated at the enterprise level. Obtaining certifications for individual sites, without having an entity-wide plan will be inefficient and ineffective because the individual ISMSs would not be aligned with the entity’s information security objectives, policies and processes and risk management.

The governing bodies and top management of entities must also monitor the performance and effectiveness of the ISMS during the operational stage to keep it aligned with the organisation’s objectives.

Conformance to Standards

ISMS based on ISO 27001:2022 or NCIIPC-QCI Cybersecurity Management System (CSMS) Level 1 Scheme offer significant benefits in terms of documentation and guidance. The ISO 27000 series documents provide comprehensive information for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS. These documents can also be used for establishing an ISMS even when an organisation does not want the ISO certification.

Note

The NCIIPC-QCI Cybersecurity Management System (CSMS) Level 1 Scheme encompasses ISO 27001 certification.

ISO 27000 Series
ISO 27001	ISMS Requirements - Details the actual requirements for organizations to comply with the ISO 27000 standards.
ISO 27002	ISMS controls - Builds on ISO 27001 by providing a description of the various controls that can be utilized to meet the requirements of ISO 27001.
ISO 27003	Guidelines for implementing an ISMS involve securing project approval, defining scope, conducting analysis and risk assessment, and designing the ISMS framework.
ISO 27004	ISMS Measurements - Outlines how an organization can monitor and measure security in relation to the ISO 27000 standards with metrics.
ISO 27005	Risk Management - Defines the high-level risk management approach.
ISO 27006	Guidelines for ISO 27000 accreditation bodies - Outlines the requirements for organizations that will measure ISO 27000 compliance for certification.

Tip

ISMS practitioners should study the ISO 27000 series documents listed above and adopt them in a suitable manner into the ISMS design, implementation and operation.

ISMS Design

Some of the activities and tasks associated with ISMS design are given below:

Scope Determination: Define the ISMS scope, ensuring it encompasses all assets, people, processes, and IT systems. The ISMS design and implementation team must understand the business functions and processes of the organisation and their interdependencies.
Policy Development: Design comprehensive security policies that address the protection of information assets against various threats and establish security objectives.
Roles Definition: Assign clear information security roles and responsibilities, ensuring accountability and proper oversight of the ISMS initiatives.
Risk Management: Find, assess, and handle risks according to the set standards.
Control Selection: Choose appropriate security controls from the relevant frameworks to mitigate identified risks.
Control Implementation: Deploy security measures and practices in alignment with the established ISMS policy framework, supporting the organisation’s security strategy.
Automation: Evaluate and select software applications and platforms for operating and managing the ISMS processes (documentation, risk, SoA mapping, evidence collection, compliance tracking etc).
Employee Training and Awareness: Combine regular security awareness programs with skill enhancement training to educate employees about ISMS policies and improve their ability to contribute to the organisation’s security.
Continuous Monitoring: Oversee the ongoing effectiveness of the ISMS and security controls, adapting to new threats and organisational changes.
Regular Audits: Implement a schedule of internal and external audits to ensure continuous compliance with ISMS requirements and identify opportunities for improvement.
Improvement Actions: Address non-conformities and areas of weakness identified during reviews and audits, closing gaps in the ISMS where necessary.

ISMS Implementation

Each ISMS must implement controls for information security risk treatment in accordance with the policies approved by the governing board / top management of the CSE. ISO 27003 provides explanation and guidance for implementing all requirements of ISO 27001.

Generic steps for implementing ISMS based on ISO 27001:2022 or NCIIPC-QCI Cybersecurity Management System (CSMS) Level 1 Scheme are given below:

Set the scope of ISMS by defining what parts of the organisation’s information systems are intended to be protected. The scope typically includes the organisation’s business processes and locations that will be covered under ISMS.
Establish and publish a top-level Information Security policy for the organisation. This will be further supported by subordinate policies.
Set the Risk Assessment context as per the requirements stated in Clause 4 to Clause 10 of ISO 27001:2022. Use ISO 27005 and various other guidelines for risk assessment.
Identify and evaluate risk as per Clause 6 and Clause 8 of ISO 27001:2022.
Establish a Risk Acceptance Criteria (RAC) for the organisation, which should be approved by the top management of the organisation (Board or Board equivalent). The RAC will then be used as the basis for risk management (assessment, evaluation, and treatment).
Set the risk acceptance threshold, based on the context of the organisation and the expectations of internal and external interested parties.
Formulate the risk treatment plan in respect of the RAC by selecting appropriate controls from “Annex A of ISO 27001:2022”. Add supplementary and technical controls from external sources (e.g. guidelines and directives from Ministries, Regulators, NCIIPC, CERT-In, NSCS) and global good practices (e.g. PCI, CIS, Cloud Security Alliance) if they are considered necessary or suitable in the business context of the organisation. Use ISO 27002:2022 as a working guideline for meeting the requirements of ISO 27001:2022.
Document all the applicable controls along with their point of application in a Statement of Applicability (SoA) document. Any control, if excluded, should be justified in the SoA and the same should also comply with the risk acceptance criteria.
Implement the security controls given in the SoA on the information infrastructure. Typically, two-tier control deployment, viz primary control and supervisory control is adopted to mitigate the critical risks.
Carry out an audit or inspection of the information infrastructure through CERT-In empanelled auditors, covering both process and technical deployment of controls, as per the guidelines issued by CERT-In and NSCS.
Test the effectiveness of implementation and operation of cyber security technical controls through the mechanism of Vulnerability Assessment and Penetration Testing (VA & PT)

ISMS flowchart is pictorially represented below.

ISMS Operation

Organisations should adopt appropriate methods to continuously operate and evaluate the performance and effectiveness of the ISMS after its implementation and Go-Live. Reporting to the governing body and top management is essential to the success of ISMS.

IS/ISO/IEC TS 27008:2019 provides guidance on reviewing and assessing the implementation and operation of information security controls. It includes the technical assessment of information system controls and their compliance to criteria established by the organisation, law and regulation.

Another critical aspect of ISMS operation is to measure the outcomes delivered by it. ISO/IEC 27004 provides detailed guidelines for evaluating the information security performance and the effectiveness of an ISMS.

ISO/IEC 27001:2022, Clause 9.1 requires the organisation to evaluate the information security performance and the effectiveness of the ISMS. It requires the organisation to determine:

what needs to be monitored and measured (systems, processes and activities).
the methods for monitoring, measurement, analysis and evaluation.
when the monitoring and measuring shall be performed.
who shall monitor and measure.
when the results from monitoring and measurement shall be analysed and evaluated.
who shall analyse and evaluate these results.

The ISMS operation must generate output for various attributes of the implemented controls that can be used to measure the efficacy of the controls, such as:

the degree to which a control reduces the likelihood of the occurrence of an event.
the degree to which a control reduces the consequence of an event.
the frequency of events that a control can cope with before failure.
how long after the occurrence of an event does it take for the control to detect that the event has occurred.

Measurable data from systems and processes is generated continuously in the form of event logs, metrics, traces and audit trails. These measures must be collected and analysed as frequently as possible. However, the reporting of such measures may be scheduled as per the needs of the interested parties.

For example, while data on security incidents is collected continually, internal reporting to higher levels of management will depend on the defined polices, such as severity (possibly requiring immediate notification as in the case of a reportable breach) or aggregated values (as might be the case for attempted intrusions which were detected and blocked). Similarly, reporting of cybersecurity incidents to external interested parties like regulators, CERT-In, sectoral CERTs and NCIIPC, will be based on their respective directives.

ISO/IEC 27001:2022 also requires the organisation to retain appropriate documented information as evidence of the monitoring and measurement results.

Metrics

Some of the possible metrics for continual improvement of ISMS are listed below.

Key Performance Indicators	Description
Number of Security Incidents	Count of unwanted events that could endanger the confidentiality, integrity, or availability of information.
Security Control Audit and Review Frequency	Measures the number of times security controls are reviewed and audited.
Audit Findings	The number of critical findings or unresolved issues from audits.
Delay in Scheduled Audits	Measures the percentage of scheduled audits and reviews that are not completed within their planned timeframes.
Number of Non-Compliance Issues	Track the number of identified non-compliance issues during the audit with legal and regulatory requirements
Effectiveness of Security Controls	Tracks the percentage of risks successfully prevented, detected, and mitigated. How well security measures prevent, detect, and mitigate risks
Policy Implementation Coverage	The percentage of critical assets covered by security policies.
Number of outdated Policies	Number of policies that are not updated to reflect current threats.
Number of Improvements Identified	Measures the number of policies, processes or controls identified for improvement during ISMS activities or audits.
Number of Non-Conformities Identified	Measures the number of occasions on which the ISMS fails to meet the specified ISO 27001 requirements.
Percentage of Assets Covered under ISMS	Measures the proportion of the organization’s assets - people, processes, technology - that are protected by the implemented ISMS.
Frequency of ISMS Review	Tracks the number of ISMS being reviewed and updated.
Employee Training Completion Rates	Numbers of employees that have completed security awareness and training programs.
Security Awareness Level	Measures the percentage of employees understanding security protocols.

Leveraging Automation

Given the scale and complexity of modern information infrastructures, automation is essential for monitoring the use and effectiveness of controls. There are many software platforms that can monitor the ISMS activities and generate reports for various levels of management. The software platforms also provide a record of ISMS activities that the audit teams can use as evidence. Work is also being done to create human and machine-readable formats such as the Open Security Controls Assessment Language (OSCAL) for automated management of ISMS controls.

Periodic inspection and audit of ISMS of CSEs is a time-consuming activity. The regulators and national bodies can also create platforms and processes for machine-processing of ISMS data from the CSEs, which will also help in sectoral and cross-sectoral analysis of audit compliance and non-compliance issues, audit effectiveness, grading of auditors etc.

ISMS Practice Owners

A sample matrix of responsibilities is given below.

Activity	Primary Ownership	Collaborative Role
Establish and review the ISMS strategy.	ISSC	Information Security Team
Oversee the development of ISMS policies and procedures.	CISO	Information Security Team
Maintain the ISMS documentation and control mechanisms.	Information Security Team	-
Ensure ISMS compliance with legal and regulatory standards.	GRC Team	Legal Team
Implement controls, standards and guidelines emanating from the ISMS implementation and design programme.	IT/OT Ops Team	-
Conduct ISMS awareness and training programs.	HR Team	Information Security Team
Monitor and report on ISMS performance using KPIs/KRIs.	GRC Team	IT/OT Ops Team
Manage ISMS auditing and continual improvement.	Internal/External Audit Team	Information Security Team

NCIIPC Guidelines

Important

These guidelines are taken from NCIIPC’s documentation of Nov 2024. CSEs must consult NCIIPC for the latest updates and further guidance.

Governance

CSE shall design, develop, approve, and implement ISMS as part of the Information Security Policy to maintain confidentiality, integrity, and availability of the organisation’s information assets.
CSE shall establish an Information Security Steering Committee responsible for providing direction, approving policies, and monitoring the ISMS effectiveness.
CSE shall describe and assign information security roles and responsibilities based on the organization’s requirements.
CSE shall appoint a senior management representative as the Chief Information Security Officer (CISO) to oversee the ISMS design, implementation, operation, and maintenance.
CSE shall ensure that all individuals working in the organisation are aware of:
- the information security policy
- their part in improving the security system.
- the consequences of not following security policies
CSEs shall establish clear channels for all information security related communications.
CSE shall conduct reviews of the ISMS to ensure the effectiveness of the organization’s approach to managing cybersecurity and its implementation, at planned intervals or when significant changes occur.
All employees shall be provided with information security awareness training and be held accountable for adhering to security policies and procedures.
CSE should monitor the defined Key Performance Indicators (KPIs) to measure the effectiveness and efficiency of the ISMS design, implementation and operation.

Technical

CSEs shall develop and implement an ISMS policy framework that includes related information security policies, procedures, and standards.
While developing the ISMS, the CSE shall consider relevant factors, identify risks and opportunities, and focus on preventative measures and continuous improvement.
CSE shall implement appropriate security controls based on identified risks, in alignment with ISO 27001 Annex A controls as well as other controls prescribed by regulators and nodal agencies.
CSE shall maintain a Statement of Applicability (SoA) defining the controls applicable to the organisation.
CSE shall identify and control external documents deemed necessary for the planning and operation of its information security management system.
CSE shall review the ISMS design and implementation process at regular intervals and implement changes.
CSE shall utilize appropriate technological, organizational, and physical safeguards to protect information assets.
CSE shall ensure compliance with all applicable laws and regulations regarding information security and data privacy.
CSE shall maintain a business continuity and disaster recovery plan to minimize disruption in the event of an incident.
CSE shall design and execute an audit programme to assess the ISMS. This programme shall have a systematic approach and prioritise processes based on their significance and findings from previous audits.
The auditing exercise shall provide documented information to verify the execution and effectiveness of the ISMS.

ISMS for Regulators

Besides the CSEs, the regulatory bodies would also benefit from establishing an ISMS, based on recognised standards. The ISMS would specifically help the regulators to:

Control the collection, processing, distribution, and retention, of sensitive information to be processed by them for effective regulation in the sector.
Understand the requirements of the ISMS established and audit the regulated entities on adherence to the requirements.
Issue sector-specific requirements, guidelines, checklists, to address the variations and constraints relevant to the local processing requirements.
Adopt audit tools and analysis engines, designed to standard requirements, for evaluation of the information security performance in the regulated entities.

ISMS for Agencies directing CSEs

Agencies directing and controlling the operations in the critical sector have a responsibility to lead the way. The controlling agency typically review the functioning of the CSEs and, if policies exist that hinder the achievement of business objectives, these policies are identified and reported for improvement. Such agencies will therefore have sensitive data of the critical sectors. It is therefore recommended that the agencies also implement an ISMS to protect the information being processed at various levels within the agencies. Establishment of an ISMS will help the agencies to:

Control the collection, processing, distribution, and retention, of sensitive information to be processed by them for effective governance in the sector.
Understand the requirements of the ISMS established, and issue relevant directions to the controlled entities, and supply-chain, on adherence to the requirements.
Establish a centrally managed framework to identify, analyse, evaluate, and treat the information security risks prevalent in the sector.
Get trust, recognition, and support from other stakeholders for information security governance in the sector.
Respond to emerging information security threats and trends by centrally managing the information security incidents in the sector.
Easily migrate to any upgrades and improvements in information security governance, based on international and industry best practices.