This article will explain what an Information Security Management System (ISMS) is, what typical issues businesses have, and how to implement and operationalize it today.
First of all, what is an Information Security Management System (ISMS)?
It’s usual to conceive of an ISMS as a collection of policies and processes, but it’s much more than that. ISMS is a framework that provides a systematic method for managing and continuously enhancing information security within a company. The ISMS is frequently depicted as a plan-do-check-act cycle or a document hierarchy pyramid.
However, by doing so, it is easy to overlook fundamental ISMS components. To demonstrate what an ISMS should include, it may be useful to imagine it as a house, with management commitment serving as the roof to keep “the rain” out, and roles and duties serving as the supporting beam. Risk management (risk-based approach), security controls (what to do, by whom, and when), and compliance are the three primary pillars of the house (to ensure you do the right things and do the things right). ISMS governance serves as the house’s foundation, allowing you to ensure continual progress and the integrity of all building components.
Let’s begin by examining some prevalent ISMS challenges today:
- The ISMS merely exists on paper and has no impact on the company.
- The ISMS does not reflect the current operations of the organization.
- Consultants have implemented issues without involving the organization, resulting in an ISMS that does not accurately reflect the organization, which then fails due to a lack of internal ownership.
- The ISMS places more emphasis on the Management System (MS) than on Information Security (IS).
- The ISMS is obsolete and incompatible with contemporary work practices.
- The ISMS was sold and “installed” by an incompetent individual, and their template was not customized for the organization.
- Management believes they are “secure” because they have a certified ISMS, but they do not comprehend the extent and application of the ISMS, nor do they realize that ISMS certification does not necessarily equate to an effective cyber security defense.
- Because the ISMS is optimized for an on-premises environment, Cloud Security Engineers and Architects are unable to deploy best practices in the cloud.
What should you do if you have one or several of these challenges?
If you are going to implement an ISMS in the future, what should you think about?
#1 – Business understanding
You might begin by gaining a thorough understanding of the business’s mission and operations. Why is the organization still in existence? Do they sell shampoo? Do they provide health services? Are they sell car parts? Are they an online store?
We must keep in mind that the reason we are constructing and maintaining an ISMS is not the ISMS itself. Because the organization faces cyber security risks and want to reduce these risks to an acceptable level. This means that two firms likely have radically different requirements; one may not require at all, while the other may require a very sophisticate.
It is also prudent to determine the business strategy. Are they likely to grow rapidly? Enter into new markets or countries? Offer fresh services? Working at home? Acquisition of competing firms? And so forth.
#2 – Gap analyses relative to a recognized framework
Having a thorough grasp of the present cyber security defense, including where the business performs well and where it performs poorly, enables you to determine where the ISMS must delve deeper and where you can likely spend less time. It is also advantageous to have a high-level understanding of the current most critical risks, as opposed to developing an ISMS without knowing where to concentrate your efforts.
Could you locate a framework that would assist you in establishing and implementing the ISMS? Typically, is based on ISO/IEC 27001 and 27002, but this is not required for a company. Which standard or framework is the greatest fit for your organization? Even ISO/IEC 27001 makes it clear that controls can be designed or identified from sources other than ISO 27001. CIS V8, NSM (fundamental principles for ICT security, a Norwegian framework), NIST CSF, CSA CCM, or an entirely new framework may be a better fit for your firm.
#3 – Awareness and training
Typically, the why and the how may be resolved by training and awareness. Help others do the right thing by imparting your expertise.
Several actions are likely necessary here, however the following are some examples:
- One mandatory generic Cyber Security course for all staff (again, make it relevant and tailored for your organization). Everyone should take this course annually as part of the joining process.
- Specific courses designed for certain departments. Developers have distinct needs than finance, and finance has different needs than human resources.
- Be wary of e-learning and generic courses; they result in a compliance check that everyone clicks through, as oppose to a customize strategy in which individuals are encourage to learn.
To encourage true behavioral change among employees, the employees must be motivate and confident in their ability to change. Both demand appropriate training and awareness.
Generally, asking questions is superior to trying to persuade. Ask the staff why Cyber Security is necessary for the company. Ask who is accountable and why. Create a dialog in which as many options as feasible are activate. Remember that your goal here is to get others talking and thinking about Cyber Security, not to draw attention to yourself.
When adopting an ISMS, it is important to consider and keep in mind a number of factors. Start with a limited scope, use internal resources, avoid using another organization’s, and update it frequently. Technology, risk, and threats are not static; therefore, your ISMS should not be either.
Read also about Technology’s Harmful Effects on Communication here.