Legal Compliance with Information Security Management Systems (ISMS)

Legal Compliance with Information Security Management Systems (ISMS)

Companies use ISMS to apply a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes, and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure. Our attorneys and consultants can help you navigate this evolving area of law and help you stay compliant and minimize hacker risks.

ISO/IEC 27001:2013

Similar to other ISO management system standards, certification to ISO/IEC 27001 is not

obligatory. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed.

What does an ISMS program look like?

The business benefits from ISO/IEC 27001 certification are considerable. DOD Contractors ensure compliance with the requirements of National Institute of Standards and Technology (NIST) 800-171 and 800-53. Properly implemented, a Quality Management System (QMS) based on the ISO/IEC 27001 standard helps ensure that business security risks are managed cost-effectively.

What is ISO/IEC 27001?

The ISO/IEC 27001 standard is invaluable for monitoring, reviewing, maintaining and improving a company’s information security management system. It formally specifies a management system that is intended to bring information security under explicit management control and risk management. Being a formal specification, the standard mandates specific requirements to conform. Organizations that claim to have adopted ISO/IEC 27001 can be formally audited and certified compliant with the standard.

ISO/IEC 27001 requires that management:

  • Systematically examine the organization’s information security risks
  • Designs and implements a coherent and comprehensive suite of information security controls and/or other forms of risk treatment
  • Adopts an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs

ISO/IEC 27000 and NIST 800.53?

Federal Information Processing Standards (FIPS) Publications are issued by NIST in accordance with Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act (FISMA) of 2002 (Public Law 107-347). FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST, in response to FISMA, and applies to private sector organizations engaged in classified work.

To comply with the federal standard, organizations first determine the security category of their information system in accordance with FIPS 199 Standards for Security Categorization of Federal Information and Information Systems. Second, derive the information system impact level from the security category in accordance with FIPS 200. Third, apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. Baseline security controls are identified with the guidance provided in NIST 800-53. With a Security Policy developed selecting appropriate controls, organizations can develop their relevant security control baseline and establish a process approach to risk management with their ISMS.

FIPS 200 and NIST 800-53, in combination, ensure that appropriate security requirements and security controls are applied to all federal information and information systems. Using a Quality Management System based on ISO/IEC 27001 a business can use the resulting organizational assessment of risk to validate its security control selection and determine if additional controls are needed to protect organizational operations. This would include mission, functions, image, reputation, organizational assets, individuals and other organizations. The resulting set of security controls establishes a level of security due diligence with continuous improvement.

obligatory. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed.

What does an ISMS program look like?

The business benefits from ISO/IEC 27001 certification are considerable. DOD Contractors ensure compliance with the requirements of National Institute of Standards and Technology (NIST) 800-171 and 800-53. Properly implemented, a Quality Management System (QMS) based on the ISO/IEC 27001 standard helps ensure that business security risks are managed cost-effectively.

What is ISO/IEC 27001?

The ISO/IEC 27001 standard is invaluable for monitoring, reviewing, maintaining and improving a company’s information security management system. It formally specifies a management system that is intended to bring information security under explicit management control and risk management. Being a formal specification, the standard mandates specific requirements to conform. Organizations that claim to have adopted ISO/IEC 27001 can be formally audited and certified compliant with the standard.

ISO/IEC 27001 requires that management:

  • Systematically examine the organization’s information security risks
  • Designs and implements a coherent and comprehensive suite of information security controls and/or other forms of risk treatment
  • Adopts an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs

ISO/IEC 27000 and NIST 800.53?

Federal Information Processing Standards (FIPS) Publications are issued by NIST in accordance with Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act (FISMA) of 2002 (Public Law 107-347). FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST, in response to FISMA, and applies to private sector organizations engaged in classified work.

To comply with the federal standard, organizations first determine the security category of their information system in accordance with FIPS 199 Standards for Security Categorization of Federal Information and Information Systems. Second, derive the information system impact level from the security category in accordance with FIPS 200. Third, apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. Baseline security controls are identified with the guidance provided in NIST 800-53. With a Security Policy developed selecting appropriate controls, organizations can develop their relevant security control baseline and establish a process approach to risk management with their ISMS.

FIPS 200 and NIST 800-53, in combination, ensure that appropriate security requirements and security controls are applied to all federal information and information systems. Using a Quality Management System based on ISO/IEC 27001 a business can use the resulting organizational assessment of risk to validate its security control selection and determine if additional controls are needed to protect organizational operations. This would include mission, functions, image, reputation, organizational assets, individuals and other organizations. The resulting set of security controls establishes a level of security due diligence with continuous improvement.

ISO/IEC 27000 and NIST 800.171?

With Information Security concerns, many DOD Contracts are being required to conform to a Defense Federal Acquisition Regulation Supplement DFARS Subpart 204.73 and contract clause DFARS 252.204-7012. These requirements impose heightened security

safeguards and mandatory reporting requirements as well as subcontractor requirements for companies handling Covered Defense Information (CDI).

The new interim rule provides additional time to implement the security requirements specified by NIST 800-171. This can be satisfied with the implementation of an ISO/IEC 27001 QMS.

Who We Are and What We Can Do For You?

The Law Firm of Arcadier, Biggie, & Wood, PLLC works with CVG Strategy to implement the right security management ISMS solution based on your corporate size, the number of locations, and industry needs. CVG Strategy is a company with experienced auditors and consultants who can efficiently balance a reasonable security implementation plan that gives you a cost-effective solution, including helping your company apply for government grants which help subsidize the cost of implementation. Our law firm provides the legal oversight and compliance necessary to achieve ISMS certification, including providing any legal opinion letters which may be necessary from time to time.

Together, our Law Firm with CVG Strategy can provide you the following:

  • ISMS Certification
  • Audit your current ISMS plans or processes and implementation suggestions
  • Assess risks
  • ISMS Training
  • Provide a detailed scope of work based on your ISMS needs
  • Legal Advice concerning all related security issues and ISMS needs.
  • Serving clients world-wide