Annual planning cycle: ISMS

On this page, you’ll find information about how you as a manager can establish a local information management security system, or ISMS.

What are ISMS and why do we need them?

The senior management team has decided that AU must comply with ISO 27001, and must maintain maturity level 3 with regard to information security. To achieve this, ISMSs must be implemented at the local level, and they must be reevaluated annually. This applies to both academic and administrative units at AU.

The definition of a maturity level is as follows:

"Procedures are standardised, documented and communicated through training.  

It has been announced that the procedures must be complied with, but it is unlikely that non-compliance will be discovered. 

The procedures are usually a formalisation of existing practice. " 

A local ISMS must contain:

  • A description of what the local ISMS covers. This must include a description of relevant stakeholders and their information security requirements.
  • An annual planning cycle and a plan defining, documenting and directing activities to ensure information security.
  • Evaluation and follow-up on the activities in the plan.

There are few formal requirements for local ISMSs, and they can be quite simple.

There are also different ways of implementing a local ISMS. For example, an ISMS can be implemented at faculty or department level; but there may also be specific research programmes for which additional measures to improve information security are required. For example, if external partners have particular requirements in this regard.

A local ISMS must be based on AU’s central information security management system, which complies with IS-37001, the security standard for Danish state sector authorities.

Responsibility for implementing an ISMS

The manager of the unit is responsible for the implementation of a local ISMS. In this context, ‘managers’ refers to, for example, department/school heads, research centre directors or deputy directors.

Managers have overall responsibility for information security in their units, which includes activities such as:

  • raising awareness of information security issues throughout the year. 
  • ensuring that all users in the unit have received the right information, training, etc. 
  • ensuring that the information security policy, the ISMS and the underlying policies, procedures, rules of conduct and all other central information concerning information security are communicated, implemented and complied with by all users in the unit, without exception. 
  • developing and applying an adapted local ISMS that is complied with in practice and is at maturity level 3. 
  • developing and implementing local policies and procedures. 

The local FISUs (research IT security committees) at AU’s five faculties are knowledgeable, relevant partners in relation to the implementation of the local ISMS.

Annual planning cycle for ISMS

It’s a good idea to design the local ISMS as an annual planning cycle that includes the phases Plan - Do - Check - Act. 

  • PLAN: Development and maintenance of the fundamental documents.
  • DO: Implementation and operation in practice.  
  • CHECK: Evaluation and documentation of the status of activities and information security measures, as well as identification of possible improvements. 
  • ACT: New initiatives and ongoing improvements