PART I
(OPEN TO THE PUBLIC)
ITEM NO.9
REPORT OF THE DIRECTOR OF CUSTOMER & SUPPORT SERVICES
TO THE Lead Member for Customer & Support Services
ON
18th December,2006
TITLE: Information Security Management System (ISMS)
RECOMMENDATIONS :
To approve this system for adoption across Salford City Council (all sites):



To support the Corporate Information Security Policy
To ensure that information security is managed in a structured and controlled
manner
To ensure that all material related to information security including documents and
decisions made are recorded and to ensure transparency in the operation of
information security management within the council.
EXECUTIVE SUMMARY :
An ISMS is a systematic approach to managing information so that it remains secure. It
encompasses people, processes and ICT systems. The concept of an ISMS is an integral
part of ISO27001 and is detailed in section 4 of the standard.
The use of an ISMS will help the council to improve the management and control of its
information, which in itself is key to its operations. It will also help to ensure the
confidentiality, integrity and availability of information throughout the council.
The ISMS records the details (like a database) of the information security controls
undertaken by and within the council. This will record / store details of information security
documents, details of controls, details of decisions made and all other information security
related material.
The ISMS incorporates an iterative process for reviewing the information security
arrangements for the council and contains the following steps:
 Review and analysis
 Gap analysis against the 27001 standard
 Development and implementation of solutions
BACKGROUND DOCUMENTS : Corporate Information Security Policy
ASSESSMENT OF RISK :
Medium
SOURCES OF FUNDING :
N/A
COMMENTS OF THE STRATEGIC DIRECTOR OF CUSTOMER AND SUPPORT
SERVICES (or his representative)
1. LEGAL IMPLICATIONS
2. FINANCIAL IMPLICATIONS
Provided by :
Provided by :
N/A
N/A
PROPERTY (if applicable): Applies to all council locations.
HUMAN RESOURCES (if applicable): N/A
CONTACT OFFICER :
David McIlroy
Assistant Director
Customer & Support Services
(Tel: No: (0161) 793 3905))
WARD(S) TO WHICH REPORT RELATE(S) :
Council internal only
KEY COUNCIL POLICIES :
1. Corporate Information Security Policy
Live
DETAILS
N/A
See attached. N/A
Corporate Information Resources Team…
Working to create a knowledge led organisation
Corporate Information Security Management System (ISMS)
November 2006
Version v1.0
Final
Document control
Version control / history
Name
Description
Date
Tad Ligman
1st draft
06
10
Tad Ligman
DMc comments update on 1st draft
03
11
06
06
Approvals
Name
Salford City Council
Position
Strategic Director of Customer and
Support Services
Date
approved
11 06
This policy applies to Salford City Council and the process for managing information security under
ISO27001:2005.
Table of Contents
Introduction – a definition of an Information Security Management System (ISMS)Error!
Bookmark not defined.
What does it comprise .......................................... Error! Bookmark not defined.
Aims and objectives .............................................. Error! Bookmark not defined.
What we need to do ............................................... Error! Bookmark not defined.
Governance arrangements ................................... Error! Bookmark not defined.
Deliverables ........................................................... Error! Bookmark not defined.
Appendix 1 – Work plan .............................................. Error! Bookmark not defined.
Appendix 2 – Statement from central government....... Error! Bookmark not defined.
Introduction – a definition of an Information Security
Management System (ISMS)
An ISMS is a systematic approach to managing information so that it remains secure. It
encompasses people, processes and ICT systems. The concept of an ISMS is an integral
part of ISO27001 and is detailed in section 4 of the standard.
To enable an ISMS to operate effectively in Salford City Council, it must have the support
and commitment from the whole organisation. The use of an ISMS will help the council to
improve the management and control of its information, which in itself is key to its
operations. It will also help to ensure the confidentiality, integrity and availability of
information throughout the council.
What does it comprise
The ISMS records the details (like a database) of the information security controls
undertaken by and within the council. The ISMS incorporates an iterative process for
reviewing the information security arrangements for the council and contains the following
steps:
 Reviews / analysis of information security - which entails analysis of business processes
 Once the information is gathered this will be compared against the control objectives
contained within ISO27001. This is the gap analysis / risk assessment phase
 As a result of this, work solutions will be developed in conjunction with the business to
reduce the risk exposure of the council. This will involve a variety of activities, both
technical and business related, including the development of policies, guidelines,
procedures and processes
 The implementation of these solutions will be monitored, reviewed and where
appropriate the cycle will be re-initiated to ensure that the solutions in place remain
appropriate for the business needs
All activities that have any information security aspect or implication shall be recorded within
the ISMS. E.g. actions taken, decisions made and documents produced. Information held
within the ISMS may be used by those with a vested interest in the state of information
security of the council, e.g. senior managers, external auditors, etc.
Aims and objectives
The primary objective of the ISMS is to improve the security of information and informationholding assets of the council, in line with the information security standard ISO27001.
As a direct consequence of this work, the council will receive a number of benefits, as shown
in the diagram below:
Salford will be an information-secure council that everyone can trust and enable all
parties to manage and communicate information
Measure
Cross council,
city-wide,
regional and
national cooperation and
secure
information
sharing
Supporting the
transformation
and the
efficiency of the
organisation
Improving
information
security risk
management
Safeguarding
the fundamental
rights of the
individual
Improving
Information
security awareness
and competence
The
implementation
of the ISMS
should help to
improve the
culture of the
organisation in
respect of
information
security. By
doing so, the risk
of an information
security incident
should be
reduced, which
in turn should
reduce the risk of
the council
suffering adverse
publicity.
The identification
and
implementation
of information
security solutions
should see the
number of
information
security incidents
taking place,
being reduced or
at least
monitored more
closely.
By being seen to
take information
security
seriously, we will
build confidence
in our citizens
that their
information is
safe with us.
The identification
and implementation
of information
security solutions
should see the
number of
instances of
information loss
being reduced. This
will be achieved
through metrics that
will be gained from
the business and
analysed by the
CISO. Regular
reports will be made
to the business
through the ISF
representatives and
senior management
as required.
Objective
By being seen to
take information
security
seriously, we will
gain the trust of
our partners that
they can work
with us in
confidence.
Establish priority
areas to address
across the
Council and feed
into an
information
security work
plan.
The ISMS should
help to clarify the
position relating to
the do’s and don’ts
in respect of
information security,
which should
reduce incidents
and improve
accountability
What we need to do
As part of the development of the ISMS at Salford, a number of things are required:

Obtain commitment and buy-in from all business areas in the council for improving the
management and control of information security:
 Conduct management briefings on the 11 areas of information security in line
with ISO27001


Hold staff briefings to build understanding of information security and therefore
support for its introduction
Hold regular training sessions on specific business unit requirements, across all
business units, to build awareness and acceptance of information security and
its methods of deployment

Build information security polices and practices to inform the council as to how it should
be managing and controlling its information. This will be done in conjunction with the
business, primarily the Information Security Forum (ISF). These will then be recorded in
the ISMS, with many of the policies being supported by guidelines that will be developed
by the business units involved as they best understand their internal processes.

The Corporate Information Security Officer (CISO) will on a regular basis, in association
with business units and ISF members, undertake assessments using the following Plan,
Do, Check, Act (PDCA) cycle to determine the status of information security compliance
and controls within Salford.
Information
security
requirements and
expectations
Business areas, in
conjunction with the
CISO will assess their
processes and
procedures to ensure
they comply with policies
Information
security managed
as expected
PLAN
Establish the
documented ISMS
ACT
The CISO in conjunction
with individual business
units will carry out
analysis of the current
information security
position
PLAN
Repeat cycles
Repeat process
regularly (12 months to 3
years), so any changes
such as business
processes, legislation or
technology, can have
appropriate action taken
Maintain and
improve the
effectiveness of the
ISMS
Amend
information
security
appropriate
to monitored
changes
Interested parties
(customers and
business partners)
Analysis results will be
compared against best
practices in ISO/
IEC27001. Identified
gaps shall be assessed
for risk and business
units shall determine
what actions to take
CHECK
Monitor and review
the ISMS
1st Cycle
DO
Implement and
operate the ISMS
Identified gaps
posing a
significant risk,
will have
solutions
defined and
implemented
ASAP
Incorporate
information
security activities
and projects
within the wider
Information
Governance
Programme
named NOESIS
Interested parties
(customers and
business partners)
Gain metrics to
determine trends and
patterns in information
security changes
Governance arrangements
Any polices required by the ISMS will be agreed by the council, using existing decision
making processes. Governance and oversight will be provided in accordance with the
governance model, which can be found at:
http://intranet.salford.gov.uk/knowledge-management-governance.doc
The information security function will work with the ISF, as representatives of the council to
ensure that the work of the ISMS is aligned to the business needs.
Deliverables
The deliverables as identified by the 2005 gap review and those being planned are:
Short term Immediately
Medium term – within
next 12 months
Long term – with next
24 months
Introduce security policies
as required by business
units across the council
Build security awareness
and training across all
council areas
Gain and build corporate
buy-in for security
objectives
Build a closer working
relationship between all
areas of the council
Reduce security incidents
on council information and
information-holding assets
Develop and introduce
solutions to improve
information security
Gain compliance to
ISO/IEC27001 information
security
Conduct regular gap
reviews and monitor key
areas for weak security
Build a strong reputation
for the council to promote
Appendix 1 – Work plan
In order to achieve compliance, the council has an initial plan as highlighted below:
Phase 1
Phase 2
Phase 3
Determine the
scope and policy
for an ISMS
Determine
approach to risk
assessment and
identify risks
Undertake risk
assessment and
treatment
Select control
objectives and
countermeasures
Approve residual
risks
Prepare a
statement of
applicability
Policy & strategy
documents
Gap analysis
Report on results
Apply solutions &
provide training
as needed
Senior mgnt’s
acceptance and
sign off of risks
SOA document
Compliant status
acheived
The ISO27001 standard’s ISMS, sets out the requirements for identifying, managing and
minimising the range of threats to information. It is designed to ensure the selection of
adequate security controls to protect information assets.
For details of the current ISMS work plan please visit the Corporate Information Resources
Team web pages at http://intranet.salford.gov.uk/customer/ictservices/aboutictservices/ictbusinesssupport/ict-business-support-information-resources/ict-isecinfosecurity.htm
Appendix 2 – Statement from central government
A recent statement from central government strongly advises all local authority's to introduce
security of its information, and stresses the standard ISO27001 is adopted and followed.
This edict states that compliance to the standard must be gained, but that certification
remains an option.
Further details can be found at:
www.cabinetoffice.gov.uk/csia/information_for_the_public_sector.