What Are the Critical Steps When Implementing an Effective Information Security Management System?

|
|
PUBLISHED on
20 Jul
2022

Having assisted over 400 organisations achieve ISO 27001 certification, we are often asked about what we consider to be the critical steps or building blocks when implementing an effective information security management system.  Whenever we respond to the question, part of our answer is always “ensure you have the appropriate resources in place.”  With human resources, do they have the appropriate skills, knowledge, and experience to carry out their role?  The key question then, and one we will address in this blog, is how do you determine if the people who are working under your control are competent from an information security perspective?

The starting point is to sit down and identify what your competency requirements actually are.

There are likely to be a number of roles within your organisation that could have an impact (positively and negatively) on the security of your information.  Some of these will be general roles, for example, executive-level managers like your CEO and CFO.  There may be senior management roles such as the heads of operational departments within your organisation.  Then there are specialist roles, such as the information security manager and of course, there is everyone else!  For the latter (i.e., general workforce) there may be little in the way of formal qualifications required when it comes to information security, but there are a number of internal competencies that should be considered including:

  • Knowledge and awareness of the company’s policy requirements
  • Awareness of the importance of one’s own contribution to information security
  • An understanding of how to report security incidents and weaknesses.

Some of the more specific roles will naturally have the potential to have a far greater impact on the security of your information.  These roles might include your information security manager, data protection officer, internal auditors and technical security specialists, such as your firewall and Windows administrators.

For these roles and others like them, it is important to ensure that each person performing the role is competent in terms of experience and education/training.  Again, the starting point is to define what competencies are required, for example:

  • Formal education and training related to their specialism
  • A minimum number of years’ experience in a role related to their specialism.

In addition to the above, there are of course general competency requirements.  The often neglected aspect of competency lies in the ‘soft skills’ area.  Examples of soft skills include emotional intelligence, acting as a team player, time management skills and problem-solving.  The relevance and importance of a lot of these skills will be driven by the culture and core values of the organisation, but in our opinion, can ultimately have a significant impact on the information security capability of the organisation.  If we take the role of information security manager or compliance manager, a key aspect of their role is communicating, influencing, guiding and motivating others to adopt best practice

Once you have defined your competency requirements, you should determine the level of competency that each of the personnel working under your control in the identified roles possesses.  This may be easier to determine with some of the ‘harder’ than the ‘softer’ skills, but there are a number of tools out in the market (e.g. psychometric tests) that can help. This will enable you to identify where there is any shortfall in competency.  Where a shortfall exists, plans to remove the shortfall should be developed.  This is likely to include training and awareness, but could also be resolved through recruitment and/or restructuring within the organisation, with people moving into roles they are more competent to perform.

It is also important that the competence requirements for roles and the competency of personnel fulfilling those roles are monitored, as changes in the business could affect the competency requirements and changes to technology could lead to competency degradation over time.

Records should also be kept as evidence that personnel working under your control are competent to perform their roles.

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
How Should You Onboard New IT Systems and Software?

This blog takes a look at onboarding information systems. When onboarding is mentioned will conclude it’s referring to people but there is a lot more to think

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
How do you Identify and Then Manage Your ISMS Scope?

When managing the security of your organisation’s information assets, you will need to consider the scope of what you are doing.

Read more
Thumbnail of the Blog Illustration
Other Standards
Published on
1/3/2024
ISO and IAF add Climate Change Considerations to 31 Management Systems Standards

On 22 February 2024 ISO and IAF released a joint statement relating to an amendment to a total of 31 existing Annex SL management system standards.

Read more
We used URM as we had a large amount of information to redact for a Court of Protection case and neither had the time nor the knowledge to be able to complete this appropriately. URM were suggested to us and we made contact. They responded very quickly and were able to explain their role, estimated timescales & costings. During the initial consultation, they were very professional and approachable, and certainly had the skills we required. URM’s consultant provided us with details of the work they had completed before & we felt confident to pursue the work with them. We were on a tight deadline for court and URM were confident that they could provide the services we required in a timely manner. The logistics of sending a large amount of confidential documents were easy to navigate and straightforward. We were unable to very accurately gauge how much work was required, however URM’s Team supported us with this and maintained regular contact regarding their progress and addressed any concerns they had. When we needed to contact them, they were prompt with their responses. The work did take longer that envisaged, however that was due to the amount of work that we, as clients, were unable to accurately identify would be required. We did, however, meet the deadline for court. I would certainly use the services of URM again & if possible would work with same team. The services are not cheap, however redacting sensitive information is a skilled task and, therefore, having a professional complete this work is priceless.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.