Information exists in different forms. It can be printed on a paper, electronically stored or transmitted, and can even be viewed in films or spoken in conversations. Whatever the form it takes or the means it is shared, information should always be protected.

Information has now been exposed to a growing number of threats. To effectively manage these risks, security management system should be established.

Information Security Management System (ISMS) is a set of polices concerning on the management of an information security risk. It also pertains to the rules, processes, practices, standards, structures and responsibilities that are empowered in an organization in order to protect the availability, confidentiality and/or integrity of the business’s and the client’s information with respect to the objective of the business. It is the umbrella under which the activities of a business or business unit are defined, organized, managed and monitored.

There are guidelines being set by the International Standard Organization (ISO) in order to implement effective and robust ISMS. One of this is the ISO/IEC27001 standard. This is a standard that describes an ISMS framework for implementing the policies on information security management. This basically adheres to the management process called P-D-C-A (Plan-Do-Check-Act).

• Plan – plan to establish own organization’s ISMS.
• Do – implement and operate own ISMS.
• Check – maintenance and proper monitoring of ISMS are needed.
• Act – aim to continuously improve ISMS by providing preventive and corrective measures.

Having ISMS in an organization can be very beneficial not only to the company’s business goals but to the clients as well to whom the business is dealing with. Some of these benefits are:

• Creation of structure and mechanism for enhanced decision-making
• Working hand in hand with the information security and the Corporate Policy
• Enabling business-friendly, risk-based management
• Faster information security program management
• An aid in the creation of better strategies, standards, roles and responsibilities
• Providing a more competitive edge among others
• Enhancement of corporate governance and compliance-related activities
• Efficiency of centralized distributed environments
• A tool for better classification, and protection of information in the business.

With the advent of these technology, managers and employees should not be complacent enough and not to put the entire load to the system. It is there to serve as a guide to everyone on how to be more vigilant and proactive in terms of dealing with very sensitive and critical information that might become a risk to the company’s goals and objectives. It is the employees’ responsibility to learn and adapt to the system and be able to know the risks that are involved in the information being passed around within the company’s premises. Therefore, they should be aware of the capability and the power of the ISMS.

Today, there are a lot of ISMS tools available on the market that an organization can choose from. These tools are designed to be compliant to the de facto standards set by the ISO. These tools are either developed by companies who provide the above system such as the Integrated Security Management System, Inc. (ISMSi) and AVDAR ISMS. Alternatively, it could be custom-built by a certain company such as HP’s ISMS.

Depending on an organization’s need, they can always find a good source of ISMS tools and kits online. However, if a company wants to create their own ISMS committee then it is much better, since they can customize their system parallel to their goal. The ISO provides the guidelines and documents in creating effective ISMS. With this, any company can have their own implementation of ISMS as long as they follow the rules and the policies.

Security’s awareness is important because it is a key factor in protecting the confidentiality, integrity, and availability of a corporation’s information system. Thus, information security is everyone’s responsibility, especially those who, in a day to day basis, interact and manage information resources. Establishing an effective ISMS therefore is a must.