I don’t think so. ISMS refers to the Information Security Management System and SMIS refers to the Security Management Information System.
The SMIS is not formally defined in the ITIL V3 Glossary. However, the ISMS is. According the ITIL V3 Glossary, the “Information Security Management System (ISMS) describes the framework of Policy, Processes, Standards, Guidelines and tools that ensures an Organisation can achieve its Information Security Management Objectives.”
ISO 27001 is the formal standard against which organizations may seek independent certification of their ISMS (meaning their frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations).
From Section 4.6.8 of the Service Design book:
“All the information required by Information Security Management (ISM) should be contained within the Security Management Information System (SMIS). This should include all security controls, risks, breaches, processes and reports necessary to support and maintain the Information Security Policy and the Information Security Management System (ISMS). This information should cover all IT services and components and needs to be integrated and maintained in alignment with all other IT information management systems, particularly the Service Portfolio and the CMS. The SMIS will also provide the input to security audits and reviews and to the continual improvement activities so important to all ISMSs. The SMIS will also provide invaluable input to the design of new systems and services.”
From the above, the SMIS is an Information System to support the Information Security Management process, similar in concept to the Availability Management Information System (AMIS) and the Capacity Management Information System (CMIS).
Hence, they are not the same. SMIS is an information system and ISMS is a framework, for Information Security Management process.
I think a formal definition of the SMIS should be included in the ITIL V3 Glossary. Also, Figure 4.27 in the Service Design book should refer to an SMIS (this was changed to ISMS in later release of the Service Design book).
No comments:
Post a Comment
Do leave your comments on the post.