So you decided to take the leap and secure your organization and data. Where do you start? I would highly recommend you get a copy of ISO/IEC 27001 to get familiar with the terminology and concepts. You can get a copy here from our friends at the CSA Group. Once you get it, read it at least once to get an idea to the concepts and process. It will be dry reading, just a heads up.
So what do you do next?
It typically starts with a Gap Analysis that attempts to document your current security controls compared to the mandatory requirements for an ISMS. This will include aspects of your current policies and procedures, are they current and reflect both business operations and identified risks, are they using best practices, etc. Now, it is important to point out that an ISMS is more than just polices and procedures but they do play a large part of it.
Next, a company wide Threat and Risk Assessment (TRA) is conducted to determine the assets at risk and the controls that are used to protect them. A “control” in this context is a person, process, or technology that will mitigate a risk. The assessor will evaluate the current controls used, the current risks based on technology, processes and even consider contracts with 3rd parties, these Findings will be put into a Risk Report that quantifies all of these risks with recommendations.
Up next, we put it all together in a report and presentation that outlines the cyber risks to the business, recommendations for corrective actions, and possibly a Statement of Applicability (SoA) if your organization is going to seek certification. Realize you can deploy a ISMS without certification and increasingly more companies are asking partners and suppliers to prove how secure organizations are prior to signing contracts; an ISMS makes this easy. I would also point out that the ISMS will improve your risk posture and level of maturity over time. It is also a great tool for improving your security posture. We realize that your security maturity might be low to start but over time, it should improve and the ISMS helps build the necessary plans and identifies the risks to get you there. It is also generates the necessary documentation that will prove your attention given to cyber risks and mitigate any negligence in the organization.
If you do implement your ISMS, first you need to create a risk management framework. I will provide more details to this a second blog posting – stay tuned. A Risk Registry will be created and a project plan for implementing the necessary controls to protect your current risks and to highlight those risks that are being accepted by the organization, as this is an approach as well. At this point, an implementation plan is created to help deploy the necessary controls such a processes, procedures and technologies to mitigate risks. The resources to do this both financial and staff time will depend on the risks, budget and corporate drivers such as compliance and regulatory requirements.
Once the controls are implemented, it is a matter of ensuring a few cycles of the ISMS in action. This is basically, the PLAN-DO-CHECK-ACT for your security risks.
Plan (Establish the ISMS) – Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.
Do (Implement and Operate the ISMS) – Implement and operate the ISMS policy, controls, processes and procedures.
Check (Monitor and Review the ISMS) – Assess and where applicable, measure process performance against ISMS policy, objectives, and practical experience and report the results to management for review.
Act (Maintain and Improve the ISMS) – Take corrective and preventive actions based on the results of the internal ISMS audit and management review or other relevant information to achieve continual improvement of the ISMS.
This is typically handled by the risk framework that will be implemented to ensure that all cyber risks are identified, quantified and mitigated on a on going basis. Once, that has been completed a few times such as 6 to 12 months. You should be ready for an internal audit and certification if you decide to go that route.
That’s it in a nutshell folks. Keep in mind an ISMS can be used for companies of all sizes not just large ones. Companies are increasingly being asked to prove their cyber security stance in order to win contracts and provide services to larger organizations and regulators. An ISMS is a great approach to meet and/or exceed this requirement.