Tools of information security management system

The methods and techniques described in ISO 27001 standard are similar to those in ISO 9001. However, the different manner and additional purposes of using these tools should be noted. The main tools of ISMS are:

  • management review,
  • corrective actions,
  • preventive actions,
  • incident management,
  • risk assessment,
  • risk treatment plans,
  • compliance metrics,
  • internal audit.

Management review. The management review is a regular meeting of executives dedicated to the functioning of the system. The main reviews are held several times a year, but only short meetings even several times a month. Reviews allow the gathering of information, enable information comparisons and entail discussion between representatives of the organizational units. In this way the review causes that each participant better understands the situation of the company. The management review promotes the understanding of relations between different parts of the organization. Understanding those relations enables managers to more accurately detect the problems.

Corrective actions. The aim of corrective actions is the removal of non-compliance and causes of incidents. These actions are taken based on information about identified non-compliance. The information security manager is responsible for the proper conduct of actions, while the employees, according to their competencies, are responsible for the removal of the causes. The quick removal of causes makes it possible to minimize adverse effects, as well as giving the company an immunity to a certain type of causes.

Preventive actions. Preventive actions serve to detect and remove potential causes that could entail non-compliance or incidents. In order to be carried out, the involvement of all employees is required to identify potential problems. The procedures of running these actions are the same as in the case of corrective actions. The identification of the causes allows further causes of problems to be found and a better understanding of the organization and its environment. Moreover, the removal of causes implies that there won't be any adverse effects. Preventive actions are more difficult to implement, but they are more efficient (no losses).


Incident management. The detection of undesired events and the quick response to it, is the goal of incident management. In addition, it provides information for corrective action. The identification and reporting of incidents is the responsibility of every employee. This tool increases the workers' awareness and sensitivity to the problems occurring in the company and its environment.

Risk assessment. Risk assessment is the periodic review of risk factors and the identification of new factors. General assessment is usually done once a year. Besides this, during the year a number of minor assessments are carried out. Conducting risk assessment immediately after the identification of changes in risk factors provides the information necessary to take preventive action and update risk treatment plans.

Risk treatment plans. The risk treatment plan is a set of instructions followed in the event of a risk factor. The organization should make plans on the basis of risk assessment, audit reports and information from the outside. A valuable source of plans are simulations. Plans that are current and possible to implement should be practised, because when a problem occurs, there is usually no time to learn instructions. The employees who are able to recognize triggers, can automatically take action to reduce the impact of the causes that could entail a crisis in the company.

Compliance metrics. Compliance metrics are a set of metrics to monitor the functioning of the system. Not only the computer system, but the whole organization should be monitored. It is possible to create a measurement system based on the assumption BSC, which will set up an early warning system. Using precise metrics allows the earlier detection of irregularities. However, the high accuracy of measurement increases the costs of measurement.

It should be noted that the use of individual tools has little influence on the prevention of crises in the organization. It is necessary to use a coherent system to achieve this effect.

Internal audit. The internal audit is a tool for monitoring specific areas of business and processes. Its main objective is to improve the information system. This is achieved through cooperation between the auditor and auditee. A secondary purpose is non-compliance detection. The audit perfectly complements the other methods because it uses a less formal, flexible approach. This makes it possible to detect risks that are not identified by other tools.