If you need to protect customer and company information (that is almost all of you), an Information Security Management System (ISMS) based on ISO/IEC 27001 or NIST Cyber Security will enable you to manage information security-related risk, hopefully improve your security maturity and demonstrate compliance to both internal and external compliance requirements. All this should give your organisation confidence, build trust and help you to achieve your objectives.
In this article, we highlight a few of the common challenges faced by companies, and a handful of key factors that contribute to those that are successful.
Main Challenges Companies Face
Over-reaching with your scope
Often information security management is reduced too much to individual technical measures, because these are easily understandable. What an ISMS teaches us, is that the combination of technical and organisational measures combined through engaged management is what actually increases the security posture.
Ultimately, your ISMS can be as big or small as you like. It could cover one complex part of the organization with the highest risk exposure, or it could cover the whole organization. What’s important is that your scope is accurately defined and that your security management system meets all ISO-27001 requirements for that scope.
Be wary of a reliance on technical initiatives
There is often too much emphasis placed on technical measures rather than people and process related aspects. Technical aspects can be easier to understand but what we’ve seen witnessing numerous cyber security breaches over the years is that the most common weakness relates to people and processes. For this reason, it’s the combination of technical and organisational measures combined through engaged management is what actually increases the security posture.
Being overwhelmed with the effort involved
The concept of ISO 27001 certification and/or implementation of an ISMS can at first seem overwhelming and you may have the sense that there’s a huge work lies ahead. Like all things though, there’s always an agile and streamlined approach that can be adopted and so simplifying and streamlining the process using risk and compliance software aligned with frameworks like ISO 27001 and NIST CSF will dramatically reduce the resources needed, not just in implementation but also in ongoing, management and reporting.
Indicators for Success
Start with a risk assessment
This is an ISO-27001 requirement before you can create new security controls. A risk assessment will show where your critical security gaps and potential threats are, so you can focus on establishing measures to mitigate those threats.
Risk management is a core part of any ISMS. After all, it’s no good identifying and prioritising information security threats if you’re unable to deal with them effectively.
Focus on risk management and information assets
There are several ways you can do this, but most methods involve first understanding what is at risk – your information assets. Once done, you can then identify risks that may be related to specific assets in specific scenarios.
The risk assessment process is crucial though. After identifying and undertaking an initial risk assessment, you’ll know which risks pose the biggest problem.
For each of these risks, you should take those and determine whether to:
– Treat the risk by applying information security controls defined in Annex A of ISO 27001.
– Eliminate the risk by avoiding it entirely.
– Share the risk (with an insurance policy or via an agreement with other parties); or
– Accept, but remain aware of the risk (if it does not pose a significant threat)
Any risks that you treat should be recorded, which should indicate which of the ISO 27001 standard controls you have selected and omitted and why you made those choices.
Get support from the top
Building a successful security system requires much time, effort and collaboration between teams. So, it’s best to get support from your organisation’s top management first. This will ensure that all stakeholders understand the importance of information security as well as their role in identifying fraudulent activity and the mitigation of risk.
What might be handy here is to conduct a risk review with your board or executive team to ensure there is general awareness and a shared understanding of cyber security risks that are most likely and will have the biggest impact.
- Use Case Spotlight: Information Security Management System (ISMS) - August 31, 2020
- How To Run a COVID19 Risk & Cyber Detox - June 4, 2020
- Business Origami: The Importance of Folding ISMS into Your GRC - April 8, 2020