Nowadays Information Assurance has become a vital component of any organizations around the world.  In the recent times Organizations have realized the potential benefits of implementing a security management system to protect and provide information assurance for their own and customer assets.  While the threats to their information is ever increasing from the likes of hacking, phishing, scamming and spamming,  CIOs are being stressed upon from the managements for  bringing a effective security management system to protect the confidentiality, integrity and availability of their own as well as their customers assets.  
Information Assurance is the practice of managing risks related to the use, processing, storage, and transmission of information and the systems and processes used for those purposes. This can be provided by implementing an effective Information Security management system (ISMS) along with Risk Management, Information Classification and Defense-in-Depth approach.  A Defense-in-Depth approach is a combination of technical implementations that will hinder the progress of a threat, slowing and frustrating it until either it ceases to threaten. An effective Security management system should cover three important parameters:  People, Technology and Operations.

People: Everybody knows that security cannot be responsibility of one department in the organization. If you examine the controls brought forth in ISO27001, you can see that it covers the controls and responsibilities of each and every function of the organization including the Senior Management. In the recent trends around security, internal threats are growing more than the external threats due to password mismanagement, ex-employees, laptop thefts, contractors (lack of awareness) and disgruntled employees. So it becomes very imperative that security management is the responsibility of all the employees of that organization. Each and every employee needs to participate to ensure effective security management.
Technology: People are the weakest link in the security chain. You cannot put in a memory degasser (which render disks/magnetic devices unreadable) on people to erase their memory? Can you? So there should be processes and policies complimented with training and implementation of technology which will provide good security to prevent information leakage. Apart from people, now hackers are becoming very sophisticated and the threats from them are increasing multi-fold. So the protection from these kinds of attacks needs to be contained for which organizations implement security technologies like IPS/IDS/Firewalls and others.
Operations: Operations is the front end of the security architecture which shall implement, maintain, monitor and review the security architecture from time to time.  They need to review and implement controls put forth after risk assessment to mitigate the risks to the organization.
So for every organization to implement the effective security management system, they need to have a scope which covers all the above three parameters into consideration.
Now coming back to the implementation, every organization needs to have a security management process to effectively implement and deploy the information security management system.  One of the first things the organization needs to do is to build a team of professionals who shall implement ISMS across the organization.
1. Security Steering Committee – A Team consisting of senior management who shall support , overlook  &  approve the implementation of ISMS across the organization
2. Security Task force - which shall conduct risk analysis, risk assessment and risk mitigations and help in the implementation of the Layered security controls or defense-in-depth model.
3. Security alarm Team/ Incident Management Team – A team responsible for incident management, review and implement controls for the same.
4. Security Leaders – Employees in each project/process who shall overlook the implementation of ISMS in each of the project/process.
5. Crisis Management Team – A Team to overlook and assist in business continuity, Disaster Recovery including emergency response like Fire/floods etc.

PS: The name of the teams might be anything that is best suited to organization. This is just an illustration.

The security management process consists of 5 Phases:
1. Defining a Security Policy
2. Risk Analysis
3. Conducting Risk Assessment and arriving at Statement of Applicability
4. Risk Mitigation
5. Controls Review

Security Policy: A Security policy is a master document that lists down security best practices implemented by an organization to protect their information assets.  This is a living document and is always frequently reviewed and updated continuously based on the risk assessments in the security management process. Organization needs to come out with the basic framework of this document and over the period of time, it becomes a master document for any of the policies the organization implements throughout the Security management process.
Risk analysis: During this phase, the Security team shall capture accurate inventory of all the assets and determine a scope of conducting risk analysis on these assets.  Once the scope of the assets is determined, the assets needs to be classified based on the confidentiality, integrity and availability values of the information.  A vulnerability assessment on each of the assets in scope is conducted to find out the vulnerabilities. The likelihood of the risks and the impact of the threats to the assets are determined to calculate the risks associated with each and every asset and is documented. There are various methods of determining the risk and one of the mostly used methods across the world is “Failure Mode Effect Analysis” (FMEA).  Another method is to list down the threats/risks and give a weight-age to each of the risk for determining the residual risk of the asset based on the mitigations and controls implemented.
Risk Assessment: During this phase, the security team shall identify potential controls which are in need of implementation, conduct the cost benefit analysis (it does not benefit if the cost of the protecting the asset is larger than the cost of the asset itself), prioritize the controls, select it and come out with the statement of applicability. The statement of applicability (SOA) lists down all the controls of the ISMS framework and shall specify whether the controls are Applicable or not with the justification and the mitigations.
Risk Mitigation: During this phase, the security team based on the assessment and the documented statement of applicability shall develop implementation plan by assigning responsibilities to the concerned stake holders. The stake holders shall implement the controls, test and validate whether the Controls are mitigating the risks through various audits and come out with a residual risk calculation document. A Residual risk is a risk which is still existent even after implementing various controls to prevent the risk.  This residual risk shall help in further reviewing and strengthening the controls to minimize the risks.
Controls Review: Once the residual risk has been calculated, the team should identify potential controls and prioritize those controls to prevent and protect the organizational assets. Reviews of this nature should be done on a timely manner. During this phase, various technologies can be implemented in the organization to automate the processes and protect the organizational assets. Review of the controls in a timely manner is compulsory to deal with the type of sophisticated attacks and to protect the confidentiality, integrity and availability of the information assets.
Organizations by way of including People, Technology and Operations in the implementation of ISMS involving Risk Management combined with Information Classification and Defense-in-Depth approach can minimize the impact caused to their information assets from internal and external threats.