Embarking On A Successful ISMS Implementation
The first and primary myth to dispel is that executing your decision to use an information security management system (ISMS) to manage the security of your information assets is a project. It is not. It is about establishing and formalising an effective approach to managing information security. Once established and implemented, it also needs to be maintained and continually improved and, as such, it is not a one-off activity addressed as a project. However, that’s not to say that managing the initial implementation won’t benefit from being treated as a project; with milestones, deliverables, establishing key activities and ensuring there is oversight to make sure it stays on track all being necessary elements.
So let’s start by looking at what needs to happen to ensure the success of an ISMS implementation. We need to consider what we are trying to accomplish which, depending on the maturity of information security in your organisation, can range from implementing a completely new management approach to just implementing greater formalisation around already existing management activities. To achieve this, as a priority, we need to consider who should be involved.
The foundations of effective information security management include the involvement of all relevant stakeholders across your organisation. The International Standard for information security management ISO/IEC 27001:2017 (ISO 27001) requires that relevant internal parties are considered. The process must be collaborative, consulting and educating and should encourage feedback, which should be analysed and responded to appropriately. It is often said that implementing an ISMS is a journey and it is important that all relevant stakeholders are included in that journey.
Feedback is an important aspect of implementation. The absence of two-way communication could lead to an ISMS which is superficial and, ultimately, may cause significant operational issues. It is important to remember that an ISMS is a business enabler, but for this to be the case, it requires transparent governance and effective risk management across the organisation.
People, communication and collaboration are vital components of a successful ISMS implementation. We have outlined below who will need to be involved to ensure a successful implementation:
• Senior Management (referred to in ISO 27001 as top management) – The ISMS must align with business objectives and must reflect what the senior management wants to achieve. Depending on the maturity and size of your organisation, senior management will need to be involved in the risk management process, making key risk treatment decisions and providing overall direction for information security. Senior management will also need to provide resources in terms of people and budget and, on an ongoing basis, review the performance of the ISMS to ensure it is achieving its objectives.
• A Sponsor – This is likely to be a member of the senior management team and will be the person who is ultimately accountable for information security within the organisation.
• Department Heads – A successful ISMS implementation entails embedding information security into business-as-usual activities. Therefore, department heads will be required to be engaged both in the implementation of the ISMS and on an ongoing basis. They will need to ensure that the processes and systems they are responsible for are meeting the organisation’s information security objectives and they play a vital role in ensuring that staff are appropriately information security-aware.
• Information Owners – The individuals primarily responsible for the information you are trying to protect should be in a position to accurately determine the impact that breaches of confidentiality, integrity or availability will have on your organisation. This input is vital to the implementation of your ISMS as it will feed into your risk assessment process and, therefore, help determine what information security controls you will need to deploy.
• Information Security Manager – If your organisation already has an information security manager in place, then they must be involved in the implementation as they will have an ongoing responsibility for the management of information security controls and tools and will have a good understanding of the current approach.
• ISMS Manager – In some cases, this may be the information security manager, however, many organisations find it prudent to have a specialist role managing the ISMS on a day-to-day basis, separate from the roles responsible for the management of the technical and non-technical information security controls and associated processes and tools. If this is the case, typically the role sits within a risk and compliance function.
This is not an exhaustive list, but provides an indication of the core team of individuals who need to be involved. Obviously, all employees need to understand what their information security responsibilities are and have appropriate awareness of the organisation’s information security policies. Additionally, as we have said earlier, the initial implementation of the ISMS may benefit from being treated as a project and having a project manager assigned.