Information Security Management Systems

Information Security Management System (ISMS) Consulting services help an organization to design, implement and operate a coherent set of policies, standards, and procedures (PSP) to manage risks to its information assets. While ISO-27001 is the most well-known promoter of the ISMS concept, the idea of an ISMS can be found in other leading IT control frameworks including COBIT (most notably in Risk IT) and FISMA/NIST (most notably in SP 800-39). 

B. W. MURRAY & CO.’s ISMS Practice Area addresses the three key life-cycle phases of an ISMS:

  • Strategize: What framework(s) should we consider? What attestation do we need to provide to which stakeholders? What standards should we align ourselves with? What will the process look like if rolling this out world-wide? What internal/external resources will we need to design it, implement it, certify it, operate it, and validate it?
  • Implement: What Risk Assessment Methodology will we adopt? How do we develop the Risk Treatment Plan? How best to Gap Assess current vs. desired state? How do we leverage Security Metrics to know that we are achieving KPI’s?
  • Operate: How do we evolve the scope of the ISMS to address other key systems or different locations? How do we independently/objectively validate the operation of the ISMS? How do we provide assurance/attestation to stakeholders like the Board and customers? How do we manage and learn from incidents before risk is realized?

Identifies 75 existing standards that are likely to be applicable to the development of the Smart Grid. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit and credit cards. It was intended to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has significantly changed business practices and policies for all Covered Entities (CE). As with many other Regulatory issues, HIPAA is largely a call to a strong control environment, with a focus on the necessary security safeguards to ensure the security of patients. Contrary to prevailing opinion, the achievement of HIPAA Security compliance is not reliant on complex technology solutions and strategies, but rather on simpler people and process-oriented control environment issues

An Information Security Management Systems (ISMS) standard that is promulgated by the International Organization for Standardization (ISO). It is a formal specification for an ISMS in that it mandates a particular set of controls that need to be in place. Therefore, organizations that claim to have adopted 27001 can be formally audited and certified compliant with the standard. It is this ability to certify the operation of an ISMS that makes 27001 unique and makes it ideal to be used as a form of independent attestation to the design and operation of an Information Security program.

(formerly ISO 17799)

A “collection” of security controls (often referred to as best practices) that are often used as a “security standard”. By definition, an audit (or assessment) is comparison to a standard. While 27002 is not a standard per se – it is often used that way. Assuming that the design and/or operation of your Information Security Management Systems is “consistent with” (e.g., there are no notable gaps) it can be said that your environment is “compliant” with the standard.

Request a Free Consultation​​

Getting started in security can be challenging. Let us help ease the burden of data security and compliance with our services and solutions.