Implementation of Information Security Management System (ISMS)

Abstract

Fundamental to ISO 27000 (ISO/IEC 27001:2005, 2005) is the concept of an information security management system (ISMS). The information security management system (ISMS) is the part of the overall management system, which is based on a business risk approach, to establish, implement, operate, monitor, maintain, and improve information security. The management system includes organization, structure and policies, planning activities, responsibilities, practices, procedures, processes, and resources. For the management of information security, its scope, administration and resources will depend on the size of the healthcare organization and information resources in question. The ISMS should be effective if it is to be useful to the organization. Information security should be an integral part of the healthcare organization’s operating and business culture. Information security is primarily a management issue, rather than a technical issue, although one should not ignore the technical problems especially given the widespread dependence on the use of IT. Information security management is not a one-off exercise, but should be seen as an ongoing activity of continual improvement. Well-managed information security is a business enabler. No organization can operate successfully in today’s world without information security. A well chosen management system of controls for information security, properly implemented and used, will make a positive contribution to the success of the healthcare organization, not just a cost against the bottom line.