The first and primary myth to dispel is that executing your decision to use an information security management system (ISMS) to manage the security of your information assets is a project. It is not.
It is about establishing and formalising an effective approach to managing information security. Once established and implemented, it also needs to be maintained and continually improved and, as such, it is not a one-off activity addressed as a project.
However, that’s not to say that managing the initial implementation won’t benefit from being treated as a project; with milestones, deliverables, establishing key activities and ensuring there is oversight to make sure it stays on track all being necessary elements.
So, let’s start by looking at what needs to happen to ensure the success of an ISMS implementation.
We need to consider what we are trying to accomplish which, depending on the maturity of information security in your organisation, can range from implementing a completely new management approach to just implementing greater formalisation around already existing management activities.
To achieve this, as a priority, we need to consider who should be involved.
The foundations of effective information security management include the involvement of all relevant stakeholders across your organisation.
The International Standard for Information Security Management, ISO/IEC 27001:2013 (ISO 27001) requires that relevant internal parties are considered. The process must be collaborative, consulting and educating, and should encourage feedback, which should be analysed and responded to appropriately.
It is often said that implementing an ISMS is a journey, and it is important that all relevant stakeholders are included in that journey.
Feedback is an important aspect of implementation. The absence of two-way communication could lead to an ISMS which is superficial and, ultimately, may cause significant operational issues.
It is important to remember that an ISMS is a business enabler, but for this to be the case, it requires transparent governance and effective risk management across the organisation.
People, communication and collaboration are vital components of a successful ISMS implementation.
We have outlined below who will need to be involved to ensure a successful implementation:
Senior Management (Referred to in ISO 27001 as Top Management)
The ISMS must align with business objectives and must reflect what the senior management wants to achieve. Depending on the maturity and size of your organisation, senior management will need to be involved in the risk management process, making key risk treatment decisions and providing overall direction for information security.
Senior management will also need to provide resources in terms of people and budget and, on an ongoing basis, review the performance of the ISMS to ensure it is achieving its objectives.
A Sponsor
This is likely to be a member of the senior management team and will be the person who is ultimately accountable for information security within the organisation.
Department Heads
A successful ISMS implementation entails embedding information security into business-as-usual activities. Therefore, department heads will be required to be engaged both in the implementation of the ISMS and on an ongoing basis.
They will need to ensure that the processes and systems they are responsible for are meeting the organisation’s information security objectives and that they play a vital role in ensuring that staff are appropriately information security-aware.
Information Owners
The individuals primarily responsible for the information you are trying to protect should be in a position to accurately determine the impact that breaches of confidentiality, integrity or availability will have on your organisation.
This input is vital to the implementation of your ISMS as it will feed into your risk assessment process and, therefore, help determine what information security controls you will need to deploy.
Information Security Manager
If your organisation already has an information security manager in place, then they must be involved in the implementation as they will have an ongoing responsibility for the management of information security controls and tools, and will have a good understanding of the current approach.
ISMS Manager
In some cases, this may be the information security manager, however, many organisations find it prudent to have a specialist role managing the ISMS on a day-to-day basis, separate from the roles responsible for the management of the technical and non-technical information security controls and associated processes and tools. If this is the case, typically the role sits within a risk and compliance function.
This is not an exhaustive list but provides an indication of the core team of individuals who need to be involved.
Obviously, all employees need to understand what their information security responsibilities are and have appropriate awareness of the organisation’s information security policies.
Additionally, as we have said earlier, the initial implementation of the ISMS may benefit from being treated as a project and having a project manager assigned.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
If you want to learn more about ISO 27002:2022 and how to implement the new controls and the new attributes, you can attend URM’s ISO 27001:2022 Control Migration Course.
URM’s blog drills down into ISO 27001 audits, offering advice on how to effectively develop and implement an ISO 27001 conformant audit programme.
URM’s blog discusses everything you need to know about the CISMP, including its benefits, who it’s suited to, the topics the CISMP covers, and more.
Typically, this question is twofold; which assets to include and the depth or granularity. In this blog, we will look at granularity.