With the rapid development of information technology represented by computer and network communication, information protection and preventing information damage and leakage have become an urgent problem to be solved by the current organization. Many information systems are not designed according to the requirements of security system. It has its limitations to only rely on technical means to realize information security. The systematic and overall planned information security management system can ensure the safety and normal operation of the organization's information system and business from the perspective of prevention and control.
The information security management system is a work system in which the organization units formulate information security management policies and strategies according to the requirements of relevant standards of the information security management system, and use the risk management method to plan, implement, review, inspect and improve the information security management.
In essence, information security management system is an information security management mode. Its purpose is to improve the management level of enterprises, promote the benign development of enterprises, ensure the security of various information resources of enterprises, and avoid being stolen by the outside world, which will have a negative impact on enterprises. With the help of many standards, the main reference of the information security management system is ISO 27001 Information security management standard. By referring to this standard, the enterprise information security management is standardized and orderly, and the enterprise information security management is developed in a scientific and reasonable direction.
Information technology service management system standard is an organization oriented IT service management standard, which aims to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information technology service management system (hereinafter referred to as "itsms"). The establishment of itsms has become an indispensable and important mechanism for various organizations, especially financial institutions, telecommunications and high-tech industries to manage operational risks. Itsms allows it managers to have a reference framework to manage it services, and the perfect it management level can also be demonstrated through certification.
Significance of implementing information security management system:
（1） Strengthen the security of the company's information assets, ensure business continuity and emergency recovery;
（2） Strengthen the information security awareness of employees and standardize the organization's information security behavior;
（3） Reduce potential risks and reduce economic losses caused by information system failure and personnel loss;
（4） Maintain the reputation, brand and customer trust of the enterprise and maintain competitive advantage;
（5） Meet the requirements of customers and laws and regulations.
Main functions of implementing information security management system:
（1） Protect the organization's information system from damage;
（2） Effectively protect the organization's confidential information;
（3） Protect the organization from economic or financial / asset losses;
（4） Protect the reputation of the organization from being damaged by bad debts;
（5） Enable the organization to monitor business opportunities from time to time;
（6） Enhance business partners' trust in the organization.
The information technology service management system takes business requirements and customer requirements as the main starting point and final landing point. Through the orderly management of main service processes, it improves the efficiency and effect of information technology service management, and effectively promotes the achievement of business results and customer satisfaction.
The organization operates the information technology service management system:
（1） Establish a set of effective customer-centered self-improvement system, achieve and maintain the consistency between service objectives and enterprise business objectives, and effectively support business strategy;
（2） Establish standardized service process to improve information technology service and operation efficiency;
（3） Effectively and efficiently integrate and utilize it resources such as information, infrastructure, applications and personnel;
（4） Establish a continuously improved service management mechanism to quickly respond to market demand and provide customer satisfaction;
（5） Align with the international benchmark, enhance market competitiveness, improve organizational reputation and improve return on investment;
（6） Control it risks and related costs, improve and control it service quality and reduce long-term service costs;
（7） Flexible response to different compliance audit requirements from customers, certification bodies and internal institutions to increase investor confidence.
(1) The information system is damaged and unable to operate and the business is interrupted;
(2) The disclosure of confidential information has a social impact;
(3) Economic or capital / asset losses;
(4) Damage tothe credibility of the organization;
(5) Loss of business opportunities;
(6) Reduce the trust that business partners place in the organization.
（1） Phase I: preparation
（2） Phase II: risk assessment
（3） Stage III: control system planning and design
（4） Stage IV: review of safety system implementation adjustment