Information Security Management Systems – It’s all about the Business!

An Information Security Management System (ISMS) is a security framework comprised of policies, processes and the management of technologies to address an organisation’s information security requirements.

ISO 27001 is a widely adopted international standard that provides a code of practice for developing and implementing a consistent set of information security management processes. It is supported by ISO 27002, which provides a comprehensive controls framework, and an increasing list of supporting standards that provide additional guidance for specific areas (e.g. risk assessment, business continuity, incident management, cloud computing, telecommunications).

We have recently seen an increase in the number of clients that have identified that they have a need to develop and implement strong information practices that support and enable their business. Some intend to undertake ISO 27001 certification, however, the majority do not and are only interested in using it as the foundation of their ISMS. This is understandable, as the standard is well recognised as a flexible and adaptable framework on which to build an organisation’s information security management capabilities. Regardless of whether or not your organisation intends to undertake certification against the standard, using the ISO 27001 standard enables an organisation to establish a systematic approach to implementing, maintaining and improving its information security management practices.

The latest version of the standard (ISO 27001:2013) stresses the need for senior management (i.e. the board, executive leadership team or senior management team) to take ownership for the development and implementation of the ISMS (see Section 5 – Leadership). This is because the Chief Executive (or equivalent) is ultimately accountable for ensuring that the information security risks to the organisation are identified and appropriately managed.

Information security is all about risk management. Therefore it must be the business’s decision to develop and implement an ISMS in order to protect the information assets (e.g. intellectual property, personal information) the organisation requires to deliver its products and/or services. Before committing to supporting and allocating resources to developing and implementing an ISMS, senior management will want to understand the opportunity and benefits associated with doing so.

The issue of information security governance is crucial here. While developing and implementing an ISMS is a sound security move, it must be a business decision to do so. As a result, senior management representatives from all areas of the business should be involved and engaged in the decision. The successful development and implementation of an ISMS will ultimately depend on understanding the organisation’s:

• size and structure;

• business objectives and goals;

• business processes;

• opportunities and risks; and

• risk appetite.

These form the basis of the organisation’s scope statement, which determines the breadth and depth of coverage of the ISMS. The organisation can choose to develop an ISMS that provides complete coverage of its business operations, or they can limit the scope to a subset of business processes in order to optimise costs. The scope can be extended over time as the organisation achieves value from the limited scope implementation. For example, ensuring that outsource service providers have appropriate security procedures and controls in place. It is easy to think that this only applies to ICT outsourcing, but does your organisation outsource its manufacturing, logistics or customer services? Did it consider the information security implication of doing so? Did you perform an appropriate level of due diligence to establish that the service provider would appropriately protect the intellectual property or the personal information about your customer that you entrusted into their care?

Once implemented, ISO 27001 requires the organisation to regularly review the ISMS (at least annually) to ensure that it is actually achieving what it was established to accomplish, as well as identifying any unmanaged risks that need to be addressed. Operational monitoring and reporting will provide senior management with visibility and assurance that the policies, processes and technical controls that have been implemented remain effective at managing the organisation’s information security risks. If you have chosen to undertake ISO 27001 certification, then it will also be able to demonstrate that it is dedicated to establishing and maintaining its information security management capabilities to external stakeholders (e.g. customers, regulators, auditors).

When all is said and done, ISO 27001 offers organisations an established framework to develop and implement an ISMS that enables them to effectively identify and manage their information security risk. Although it will require considerable commitment from senior management it will provide your organisation with significant competitive advantage by enabling to demonstrate to various stakeholders that it takes security seriously.