Considerations on the implementation steps for an information security management system

News about various information security attacks against companies appears almost every day. The sources of these attacks vary from cyber-criminals who want to steal companies’ data to demand a ransom, to current or former employees who want to create damage to the organization. The best way to defend organizational critical assets is to implement an Information Security Management System that secures all sensitive assets from confidentiality, availability and integrity perspective. An Information Security Management System offers top management a framework for sensitive information flow control. This framework includes with a risk assessment that considers the security threats and vulnerabilities of the company’s assets. Companies usually implement Information Security Management System only after they have a functional quality management system, which brings clarity and optimization to the company’s processes. Current approaches on creation and implementation of effective Information Security Management System are very theoretical and thus difficult to use in practice. The main objective of this paper is to present an Information Security Management System implementation method in the case of a small company by defining the basic steps in achieving a fully functional Information Security Management System. The proposed methodology considers the top management Information Security Management System objectives, organizational context, risks assessment and third parties expectations fulfillment.