There are several definitions that can be obtained from some security-related standards such as ISO / IEC 17799:2005 Information technology. Security techniques. Code of practice for information security management, or ISO 13335-1:2004 Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management, and are all based on a key concept, safety should be aimed at the preservation of confidentiality, integrity, and availability of information, irrespective of other characteristics related to the former, such as authentication, traceability, regulatory compliance, etc. There is no doubt that the information represents the most critical asset for an organization to achieve the success of the business or strategic objectives, ie those who are critical and represent the reason for the company. The business objectives go through to get that information, whatever is its support and its life cycle within the organization, whether analyzed under different requirements: quality, financial, security, legal, or others that time may be needed. These requirements will lead to resources and processes used in information systems to achieve strategic goals Having identified the key terms of information security, you must approach them from the point of view of management, applying a systematic process documented and known throughout the organization to ensure compliance, the company is not completely safe, but knows the risks it faces, evaluated them, knows them manage and minimized in a documented, systematic, structured, repeatable, efficient and adapted to the changes occurring in the information system.
A system for managing information security (ISMS), is one system that includes security policy, organizational structure, procedures, processes, and resources necessary to implement the safety management of information in terms of technical, legal and organizational issues identified in the organization. To implement it successfully in an organization there are several key elements: – Getting the management support .- Have a clear vision of the processes and key elements to include in the system, since an excess of ambition could derail the system. – Evaluate the risks that compromise these processes .- To describe a security policy based on risk analysis results .- To adopt the model of continuous improvement, PDCA cycle, allowing the system to monitor, detect and treat risks efficiently. – Document the system according to different strategic levels (manual safety, general procedures, technical instructions, and records of operation). ISO / IEC 27001:2005, internationally known standard defines the requirements for implementing an ISMS. The benefits of the system are various and include ease of integration with other systems management ISO 9000 and ISO 14000, compliance with legal requirements (laws by LSSI, etc), effective risk management, differentiation in the sector, credibility and confidence of managers, partners and stakeholders, reducing costs associated with incidents, and finally, improvements in staff awareness and increase responsibility for information security..