ISMS requirements

Discuss about the Cyber security Planning and Compliance for ISMS System.

Cyber security is such a big challenge for the companies. The cyber security standards compliance is supported by the cyber security strategy of Australia 2009. But more challenging thing is to understand from where to start. To win over this challenge the companies have adopted international standards. ISO 27001 ISMS are helpful in implementing an information security management system. It is starting point to tackle cyber security and protection against the increasing cyber-attacks. An ISMS is a efficient approach used to manage sensitive information of company to keep it secure. This approach implements, monitors, reviews and improves information security of an organisation to achieve it’s business objectives. It includes people, procedures and IT systems by applying a risk management approach. An ISMS is helpful to all type of companies whether it’s small, medium or large. KPMG is a professional company and provider of risk, financial, advisory, audit, tax and regulatory services. The cyber security team at KPMG assists organisation in transforming security, privacy and controlling business enabling platforms (Knowles, et. al. 2015). The system maintains confidentiality, reliability and availability of critical business functions. An ISMS system manages information security in KPMG. The system integrates, keep confidential and make available information and data all the time. The information system is expected to change over time. 

An ISMS is a systematic approach required to eliminate threats such as fraud, disruption, fire from a wide range of sources.  The ISMS framework contains policies and procedures to tackle security risks in an organisation. It minimises security risks to information assets. An ISMS includes three basic concepts that is confidentiality, integrity and availability (Kolkowska, Karlsson & Hedström, 2017). The requirements/ implementation of ISMS in KPMG can be understood from these points:

AN ISMS covers people, process and IT systems and it is not all about antivirus software.  An ISMS helps to protect KPMG against the various types of information security threats like cyber-attacks, data leakage or stealing (Safa, Von Solms & Furnell, 2016). It protects assets and reputation of business. The effective security measure adopted by company minimises the financial and reputation damage. The weak security measures are responsible for the financial and reputational damage.

An ISMS safeguards the implementation of proper security control with the latest business requirements such as legal, contractual and regulatory. It obeys cyber security laws like general data protection regulation (Can, 2015).

Risk assessment

An ISMS is a systematic way to manage risk and enables organisation to make informed decisions. It reduces the risk of financial penalties and losses which is caused by the breach of data due to noncompliance with information security requirements (Tatiara, Fajar, Siregar & Gunawan, 2018). There is huge cost charged for the data breach in country.

An ISMS assists KPMG to implement good security practices. It assists practices with international standards and certified players like Google and Microsoft (Mohammed, Omar & Nguyen, 2017). The system enhances market recognition, growth of business and customer preservation through innovative and modest policies. It also brings additional benefits such as authorizations and customer assurance.

AN ISMS gives KPMG an access to regular assessments and internal audits to ensure constant improvement and efficiency of maximum security protocols. The global security standard means the audit which extends to independent and unbiased external assessment at precise intervals and reducing frequent customer audits (Nicho & MBA, 2011). The system also gives integrity with staff, client and partnership companies and exhibits due diligence. 

An ISMS considers internal and external risks for the risk assessment across the company. The risks are measured, examined and evaluated against a set of determined criteria before the risk controls are executed. Such controls are practiced based on the probability and likely impact of risks. An ISMS is a framework which helps company to take proper decisions about the risks which are specific to business.

An ISMS is a specialised and best information security standard. Achieving such certification exhibits to clients, regulators and investors that company is following best practices of information security and data is protected appropriately. The adaption approach of system reduces the threat of evolving risks in the organisation. It focuses on integrity as well as confidentiality. It even saves from major disasters to ensure timely continuation.

The information security controls are not only technical or IT related controls. It is a arrangement of different type of controls like organisational control, IT control and human resources control. For instance, authenticating a procedure is an organisational control, executing software tool is IT control and training of people is a human resource control.  When the information security becomes unmanageable then the ISO 27001 is used to build ISMS. It makes possible to use a complex system by developing a set of rules and responsibilities. The information security controls are chosen and executed on the basis of risk assessment of information system. The security controls are measures which are undertaken to protect an information system (Almeida & Respício, 2018). It saves information system from the occurrences against the privacy, reliability and accessibility of information system. There are two ways to classify security controls. One way is to lay security control into physical, technical and administrative control categories. The other way is to classify security controls on the basis of taxonomy according to time and security incident which means directing, preventing and correcting.

The information security controls

The physical security control is the procedure to control physical access to sensitive information and protect accessibility of information. This security control ensures that unauthorised people are barred from physical spaces and assets where their presence can be a probable threat. The computer and computing devices are deliberated as sensitive assets and spaces and should be secure consequently. For instance in case of KPMG, physical security controls are access systems such as guards, restricted areas, CCTV, administrators and door access controls. Both administrative and technical controls depend on the appropriate physical security controls (Alotaibi, Furnell & Clarke, 2016). 

The technical security controls are also known as logical controls. It consists of the hardware and software features which help to ensure reliability and safety of data and operating systems. The hardware components separates core and present overlap, core cleaning to prevent job clutching control, level of privileges which restricts access to operating system. The software elements provide access to the management capabilities (Buccafurri, et. al. 2015). These elements protect electronic information in a program. It is an effective logical system which provides a means to classify, authorise and limit authenticated users to stipulate actions.

These policies are the policies which put into place to monitor action of employees to deal with the sensitive information of organisation. It updates members who business should be run and how day to day processes should be directed. The laws and rules conducted by the government are form of administrative control as it guides a business unit. The administrative security controls can be imposed with both technical and physical security controls (Preus, et. al. 2015).

KPMG reviews it’s ISMS in planned intervals to ensure sustainability, capability and efficiency. It includes evaluating opportunities for the development and changes required to ISMS.  The system includes the security policy and objectives. An ISMS has improved performance of KPMG by reducing losses which resulted from the insufficient legal and regulatory compliance. The standard operation and certification increases the trust of interested parties. It has reduced the outage time caused by the incidents. It has reduced damages and increased efficiency of business processes. There are various errors which hinders the continuity of business activity. In this case the remedy actions are taken by the ISMS (Gangwar & Date, 2015). The system has also harmonised company and information technology aspects. It helps to ensure co-operation and achieving common goals. The gap is reduced between the IT and business personnel of company. KPMG applies ISO standard in operations and management to ensure that the company fulfil requirements of quality. An ISMS has increased standard and implemented awareness of security among the employees of organisation. An ISMS has been successful to improve performance of KPMG by taking corrective and preventive action. The nonconformities associated with organisation are eliminated with the implementation of ISMS. An ISMS has helped company to determine and implement corrective actions needed. It has helped company to record and review corrective action, determined and implemented preventive actions (Chen, et. al. 2014). The risks are identified and attention is concentrated on the significant risks. As a consequence of the implementation of ISMS KPMG has reviewed security policy, objectives, audit results and monitor events are analysed.  The information security has been modified in respond to internal and external events. The performance of KPMG has been evaluated and improved after the implementation of ISMS in three phases. 

The maturity of KPMG’s information security can be assessed from ISMS and divergence from best practice. The security system reviews and controls company’s technology, procedure and employees.

Resource allocation: An ISMS provides professional personnel for standard implementation. It requires significant amount of resources. The system assists with interpretation of standard requirements (Furfaro, et. al. 2016).

Development of documentation system: An ISMS inspects the regulation of KPMG which is linked to the requirements of ISO 27001 standard. It provides suggestion for the development of business. It also prepares missing documentation and information security policy.

Risk analysis: The system analyses risk available in the organisation. An execution of risk analysis helps KPMG to decrease risks that were not covered earlier by the organisation. It also downs risks to a level which can be acceptable for the management (Anwar, et. al. 2017).

Statement of applicability: The statement of applicability is prepared for the certification audit for ISO 27001. In this statement the compliance of security controls is confirmed.

The system enables the process of gaining certification of ISO 27001. The certification enables KPMG to prove to external parties that company complies the information security requirements w3hich are set out in the ISO 27001 standard (Ziyabari & Aris, 2014). 

Conclusion

The cyber security has given birth to the use of ISMS. An ISMS has changed the way KPMG used to create and deliver value. The ability to attain accurate information at right time, in the right layout to the right people has openly brought success of business. The effective technology resulted from ISMS system realised full potential and reduces risk. KPMG has stirred cyber security to the heart of company. The ISMS has enlarged range of services and invested greatly in research and development and acquisitions. The company has also achieved highest score for current offering and strategy. KPMG has made significant cyber acquisitions and improved performance of company. From this report, it can be concluded that the implementation of ISMS has protected asset and reputation of business, complied latest regulatory requirements, minimised penalties and losses with data breaches, gained competitive market advantage and boost security audit practices. The information security can be controlled by measures such as physical, technical and administrative security. It has made easy for the company to evaluate and improve performance by the implementation of ISMS. 

References

Almeida, L. and Respício, A., 2018. Decision support for selecting information security controls. Journal of Decision Systems, pp.1-8.

Alotaibi, M., Furnell, S. and Clarke, N., 2016, December. Information security policies: A review of challenges and influencing factors. In Internet Technology and Secured Transactions (ICITST), 2016 11th International Conference for(pp. 352-358). IEEE.

Anwar, M., He, W., Ash, I., Yuan, X., Li, L. and Xu, L., 2017. Gender difference and employees’ cybersecurity behaviors. Computers in Human Behavior, 69, pp.437-443.

Buccafurri, F., Fotia, L., Furfaro, A., Garro, A., Giacalone, M. and Tundis, A., 2015, September. An analytical processing approach to supporting cyber security compliance assessment. In Proceedings of the 8th International Conference on Security of Information and Networks (pp. 46-53). ACM.

Can, N., 2015, June. Legal issues concerning the cyber security of GNSS. In Recent Advances in Space Technologies (RAST), 2015 7th International Conference on (pp. 861-864). IEEE.

Chen, C.Y., Lin, C., Lu, T.H., Chen, H.F. and Chou, J.N., 2014. Core Competence of Information Security Service Specialists in System Integration Service Provider. In Proceedings of the 2nd International Conference on Intelligent Technologies and Engineering Systems (ICITES2013) (pp. 435-443). Springer, Cham.

Furfaro, A., Gallo, T., Garro, A., Saccà, D. and Tundis, A., 2016, May. Requirements specification of a cloud service for cyber security compliance analysis. In Cloud Computing Technologies and Applications (CloudTech), 2016 2nd International Conference on (pp. 205-212). IEEE.

Gangwar, H. and Date, H., 2015. Exploring Information Security Governance in Cloud Computing Organisation. International Journal of Applied Management Sciences and Engineering (IJAMSE), 2(1), pp.44-61.

Knowles, W., Prince, D., Hutchison, D., Disso, J.F.P. and Jones, K., 2015. A survey of cyber security management in industrial control systems. International journal of critical infrastructure protection, 9, pp.52-80.

Kolkowska, E., Karlsson, F. and Hedström, K., 2017. Towards analysing the rationale of information security non-compliance: Devising a Value-Based Compliance analysis method. The Journal of Strategic Information Systems, 26(1), pp.39-57.b

Mohammed, D., Omar, M. and Nguyen, V., 2017. Enhancing Cyber Security for Financial Industry through Compliance and Regulatory Standards. In Security Solutions for Hyperconnectivity and the Internet of Things (pp. 113-129). IGI Global.

Nicho, M. and MBA, M., 2011. Effectiveness of the PCI DSS 2.0 on Preventing Security Breaches: A Holistic perspective. Retrieved online on 23rd January from https://www. sc2labs. com/public/uploaded/Effectiveness-of-PCI-DSS. pdf.

Preus, S., Noer, S.L., Hildebrandt, L.L., Gudnason, D. and Birkedal, V., 2015. iSMS: single-molecule FRET microscopy software. nature methods, 12(7), p.593.

Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. Computers & Security, 56, pp.70-82.

Tatiara, R., Fajar, A.N., Siregar, B. and Gunawan, W., 2018, March. Analysis of factors that inhibiting implementation of Information Security Management System (ISMS) based on ISO 27001. In Journal of Physics: Conference Series (Vol. 978, No. 1, p. 012039). IOP Publishing.

Ziyabari, S.K. and Aris, I.B., 2014. A critical review of sustainable radio frequency identification (rfid)-based livestock monitoring and managemnet systems: towards quality products and practices. Journal of New Sciences, 12.