How Do You Implement a Successful ISMS?

|
|
PUBLISHED on
21 Jul
2022

The first and primary myth to dispel is that executing your decision to use an information security management system (ISMS) to manage the security of your information assets is a project.  It is not.

It is about establishing and formalising an effective approach to managing information security.  Once established and implemented, it also needs to be maintained and continually improved and, as such, it is not a one-off activity addressed as a project.  

However, that’s not to say that managing the initial implementation won’t benefit from being treated as a project; with milestones, deliverables, establishing key activities and ensuring there is oversight to make sure it stays on track all being necessary elements.

So, let’s start by looking at what needs to happen to ensure the success of an ISMS implementation.  

We need to consider what we are trying to accomplish which, depending on the maturity of information security in your organisation, can range from implementing a completely new management approach to just implementing greater formalisation around already existing management activities.  

To achieve this, as a priority, we need to consider who should be involved.

The foundations of effective information security management include the involvement of all relevant stakeholders across your organisation.  

The International Standard for Information Security Management, ISO/IEC 27001:2013 (ISO 27001) requires that relevant internal parties are considered.  The process must be collaborative, consulting and educating, and should encourage feedback, which should be analysed and responded to appropriately.  

It is often said that implementing an ISMS is a journey, and it is important that all relevant stakeholders are included in that journey.

Feedback is an important aspect of implementation.  The absence of two-way communication could lead to an ISMS which is superficial and, ultimately, may cause significant operational issues.  

It is important to remember that an ISMS is a business enabler, but for this to be the case, it requires transparent governance and effective risk management across the organisation.

People, communication and collaboration are vital components of a successful ISMS implementation.

We have outlined below who will need to be involved to ensure a successful implementation:

Senior Management (Referred to in ISO 27001 as Top Management)

The ISMS must align with business objectives and must reflect what the senior management wants to achieve.  Depending on the maturity and size of your organisation, senior management will need to be involved in the risk management process, making key risk treatment decisions and providing overall direction for information security.  

Senior management will also need to provide resources in terms of people and budget and, on an ongoing basis, review the performance of the ISMS to ensure it is achieving its objectives.

A Sponsor

This is likely to be a member of the senior management team and will be the person who is ultimately accountable for information security within the organisation.

Department Heads

A successful ISMS implementation entails embedding information security into business-as-usual activities.  Therefore, department heads will be required to be engaged both in the implementation of the ISMS and on an ongoing basis.  

They will need to ensure that the processes and systems they are responsible for are meeting the organisation’s information security objectives and that they play a vital role in ensuring that staff are appropriately information security-aware.

Information Owners

The individuals primarily responsible for the information you are trying to protect should be in a position to accurately determine the impact that breaches of confidentiality, integrity or availability will have on your organisation.  

This input is vital to the implementation of your ISMS as it will feed into your risk assessment process and, therefore, help determine what information security controls you will need to deploy.

Information Security Manager

If your organisation already has an information security manager in place, then they must be involved in the implementation as they will have an ongoing responsibility for the management of information security controls and tools, and will have a good understanding of the current approach.

ISMS Manager

In some cases, this may be the information security manager, however, many organisations find it prudent to have a specialist role managing the ISMS on a day-to-day basis, separate from the roles responsible for the management of the technical and non-technical information security controls and associated processes and tools.  If this is the case, typically the role sits within a risk and compliance function.

This is not an exhaustive list but provides an indication of the core team of individuals who need to be involved.  

Obviously, all employees need to understand what their information security responsibilities are and have appropriate awareness of the organisation’s information security policies.  

Additionally, as we have said earlier, the initial implementation of the ISMS may benefit from being treated as a project and having a project manager assigned.

Are you looking to implement ISO 27001? Or certify against the Standard?

URM offers a host of consultancy services to assist you implement and maintain ISO 27001, including gap analyses, risk assessments, policy development, auditing and training.
Thumbnail of the Blog Illustration
Information Security
Published on
19/4/2024
Planning Your ISO 27001 Audit Programme

URM’s blog drills down into ISO 27001 audits, offering advice on how to effectively develop and implement an ISO 27001 conformant audit programme.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
10/7/2024
A Guide to the Certificate in Information Security Management Principles (CISMP)

URM’s blog discusses everything you need to know about the CISMP, including its benefits, who it’s suited to, the topics the CISMP covers, and more.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
20/7/2022
How do I Approach Asset Identification Within My Information Security Risk Assessment?

Typically, this question is twofold; which assets to include and the depth or granularity. In this blog, we will look at granularity.

Read more
URM were super helpful and knowledgeable, talking and walking me through each one of the tests and providing some useful information on security and how to improve things in the future.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.