There are several definitions that can be obtained from some of the standards related to security, such as ISO/IEC 17799: 2005 Information technology. Security techniques. Code of practice for information security management, or ISO 13335-1: 2004 Information technology Security techniques Management of information and communications technology security Part 1: Concepts and models for information and communications technology security management, and all of them are based on a key concept, the security must have as objective the preservation of the confidentiality, integrity, and availability of information, without prejudice to other features related to the firstsuch as authentication, traceability, regulatory compliance, etc. There is no doubt that information represents the most critical asset for an organization to achieve the success of the objectives of business or strategic, i.e., those that are fundamental and represent the raison d ‘ etre of the company. Business objectives happen to get that information, matter what their lifecycle within the Organization, and its support is analyzed under different requirements: quality, financial, security, legal, or others that may occasionally be required. These requirements will guide you to resources and processes used in information systems to achieve the strategic objectives set once identified the key terms of the security of the information, it is necessary to approach them from the point of view of the management, applying a systematic process, documented and known throughout the Organization ensuring, not that the company is completely safe, but you know the risks to which it faces, has evaluated them, knows them to manage and has minimized a way documented, systematic, structured, repeatable, efficient and adapted to the changes that occur in the information system. (ISMS) information security management system, is the system which understands the politics of security, organizational structure, procedures, processes, and the resources needed to implement the safety management of information based on the technical, legal and organisational requirements identified in the organization.
There are various key elements to implant it successfully in an organization: achieve support from the address-have a clear vision of the processes and key elements to include in the system, since an excess of ambition could derail the system-evaluate the risks that undertake these processes-describe a security policy based on the results of the analysis of risks.-adopt the model of continuous improvement, PDCA cycle, allowing monitor system, detect new risks and deal with them efficiently-documenting the system according to different strategic levels (manual of security, general procedures, technical instructions, and operation records). ISO/IEC 27001: 2005 standard internationally known, defined the requirements to implement an ISMS. The benefits of the system are various and include ease of integration with other management systems ISO 9000 and ISO 14000, compliance with legal requirements (LOPD, LSSI, etc), effective risk management, the differentiation in the sector, credibility and confidence of managers, partners and stakeholders, the reduction of costs related to incidents, and finally, the improvement in the awareness of staff and increased accountability in information security.