3 Things you Should Know Before Implementing an ISMS

ISD Cyber have implemented many Information Security Management Systems (ISMS) with our SME having over 22 years of hands on experience across a wide variety of industries.

We would like to share our experiences to date in terms of how to prepare yourself, what risks to look out for and how to bring others along the journey.

1- Start at the beginning… no, really!

It is essential that you define and can clearly articulate what needs to be protected and why, what is the scope of your ISMS and what obligations you have (contractual, legislative, and statutory), plus what do your stakeholders expect of you?

How do you operate, or what do you use, that may expose you to known vulnerabilities? What do you depend upon to deliver products and services? What happens if they’re no longer available, or if no one can trust your products and services?

Without understanding this from the outset, it’s near impossible to demonstrate that you have considered the associated information security risks and implemented appropriate controls.

2 – Do not just focus on the paperwork!

A common mistake we see is the over emphasis on ‘the paperwork’, a certifiable ISMS is far more than being able to publish templated security policies and procedures.  Agreed, they have their place, and certain requirements must be met when going for certification to ISO 27001, however it should not be your primary focus.

If you are just starting to mature your information security practices, the number of required policies and procedures could feel overwhelming but maturing your back-end paperwork is not the only thing you must consider when implementing your ISMS.  You’ve been warned!

3 – Make friends and influence

Before starting out on your ISMS journey, it is essential to identify and understand the key stakeholders.  Who will be impacted by the decisions being made within the mandatory documentation?  What are their responsibilities? What will be expected of them (during and after) implementation? What assumptions are you making of their knowledge? What do you want them to know? What do you need from them?  Who do you need as the ‘champion’ rep in your corner?

Be clear in your messaging and get them on side early.  You cannot do this alone!

To obtain a certifiable ISMS you need to demonstrate leadership commitment, you can only achieve this if they really understand the scope and the need (another reason step 1 is important!), what is in it for them (i.e., what are the positive opportunities realised through being certified?) and what the implications are if the ISMS is unsupported?