Difference between CIS documentation and an ISMS? I'm confused.

Posted by heartgoldt20@reddit | sysadmin | View on Reddit | 2 comments

Hey everyone, I've been following the CIS Controls framework (v8) pretty closely and have been building documentation for every safeguard. I write procedures, yearly reviews, scopes, owners, etc. Basically, I have a folder with all of my CIS documents and update them annually. My question is: **how different is this from an ISMS (Information Security Management System)?** Because at this point I'm honestly getting confused. CIS gives me all the safeguards and requirements, and it *feels* like I'm building an ISMS, but people keep telling me it's not the same thing. So what’s the key difference between “documentation aligned to CIS” and an actual ISMS? And am I missing something major if I just follow CIS + yearly reviews? Would appreciate insights from people who’ve deployed CIS vs ISO 27001 vs full ISMS implementations. Thanks!

2 Comments

[-]

DapperAstronomer7632@reddit

In the ISO world, just implementing controls (such as CIS) is not a process. In an Management System, be it Information Security or e.g. quality, there always needs to be a process to do regular stakeholder analyses and risk assessment, process to manage improvement plans, process to handle deviations, etc. That makes a set of controls a management system.

NiiWiiCamo@reddit

This. CIS is a framework with explicit "tasks". An ISMS is documentation of current states and processes, including naming stakeholders. When you have current CIS documentation you are most of the way there to an actual ISMS, it's mostly just adding a few more points.

Reply to Post

2 Comments