An Information Security Management System (ISMS) is a framework designed to describe the methodologies and practices for managing information security within your organisation. I have heard comments which not only remind me people don’t believe in ISMS benefits but misunderstand what it aims to achieve for them: “We don’t need an ISMS!” or “I don’t see any value in an ISMS!”.
It left me curious: what left them with such a bad taste for the ISMS in their mouths? It led me here, to writing about it.
Understand your ‘Why‘
The very first element of an ISMS is to express what needs to be protected: your very own ‘Why’. Why is information security important to your organisation? What do you want to achieve? It may simply be that you want to protect an asset group, such as personally identifiable information (PII), or have a contractual requirement to ensure information security is taken seriously. You may even want to make a statement that senior management is committed to an effective security program to instil confidence in a new product or attract new customers.
Whatever it is, you need to know it NOW so you can set your security objectives and get others onboard.
Measurable objectives are important, because if you don’t know where you are going and why, how will you know what to focus on, or worse… How will you know when you get there? Define your desired Target State (what you want to reach):
- “We want to move from maturity level 1 to 2 across all security domains”
- “We want to achieve maturity level 3 across all Essential Eight controls”
- “We want to be certified to ISO 27001”.
So, what do you want and when do you want to achieve this? E.g., “We want to be certified to ISO 27001 and demonstrate a level 2 maturity across all Essential Eight controls by June 2022.”
Do you know your ‘Why’? What is your vision for security?
Once you have determined your vision for the future, you can then work out how to get there. In ISMS context, this involves understanding your current state of compliance with industry standards and legislation (such as ISO 27001 Information Security, ISO 31000 Risk Management, the Privacy Act, Cyber Security Top 10, PCI DSS…) by completing a gap analysis.
NOTE: Whether you are seeking certification to ISO 27001 or not, this is a crucial step in your security program. This will help you to form your Security Plan.
Where are you now? In context of where you want or should be.
This becomes the start of your journey. You now have a roadmap. Who is going to help you achieve your vision? Who is going to shape your vision? A key step within ISMS implementation is being able to outline the roles and responsibilities for information security throughout the organisation, detailing who is Responsible, Accountable, and who should be Consulted and Informed (the common RACI approach).
By identifying roles and responsibilities you are setting up the framework that will help you achieve your security objectives. In addition, by understanding key stakeholders (those who should be ‘consulted’ and ‘informed’) you can ensure that their needs and expectation are also met. Information security risks do not simply reside in a single business unit, they cut across many business processes and the ISMS should be used to define what should be protected for the organisation to meet both its business and security objectives.
You’re on to a winner if you can communicate the ‘Why’ in business terms. Get the stakeholders onboard early for success.
How will you know you have succeeded? What does ‘success’ look like?
In summary, any company of any size can and should implement an ISMS.
Other than obtaining an ISO 27001 certificate, a successful ISMS supports ongoing and continual improvements to the management of information security risks. It gives you the toolkit you need to create a company focussed information security plan, it will make you and your teams far more aware of the challenges and will help you to break the security plan down in to manageable and achievable tasks.
About the Author
Yvonne Sears MSc, LLM, CIPM, CISM, PICIP, MBCI, FIP, FAISA has over 20 years’ experience in information security and Privacy in the UK and Australia. She has a Master’s in Information Security and Computer Crime, a Master’s in Information Law and is a Certified Information Privacy Manager.
She has worked on several trail blazer projects leading the way on data sharing and privacy issues in sensitive and complex areas and has worked for a wide variety of public and private sector organisations.
She has contributed at industry events as a speaker and has contributed to several publications including ISACA’s Privacy book: “Implementing a Privacy Protection Program” (2017) and “Women in the Security Profession” (2016).