[This is the first part of a series of postings about the implementation of an information security management system (ISMS). Also have a look at the introductory article.]
One of the major factors for a successful implementation of an ISMS is to know what you have to expect. The worst thing that can happen to you is that midway through the implementation you notice that an ISMS according to ISO 27001 is not what you want, is too expensive or requires too many resources to operate.
First of all, try to reflect about why you want an ISMS at all. Depending on what role you occupy within your company, the reasons might be quite different. If you’re responsible for (information) security, you might have been told to do so. Or you might want an ISMS on your own account in order to adequately protect the information for are responsible for. If the latter is the case, you will need to get management support. This is one of the most important factors for a successful ISMS. It’s one of the standard’s requirements – but the real reason is that operating an ISMS requires resources. And lots of them.
On the one hand, you will need money to implement controls and information security safeguards. On the other hand – and more importantly – you will need a lot of your coworkers time. It’s important to note that an ISMS is nothing a single person can implement. Actually the role of the security manager is to coach everyone and manage the project. Most information (e.g. for the risk analysis) has to be gathered from the managers and employees of the respective departments. Typically the managers are not too keen on spending time for these things. So it is vital to get support from top management.
If you’re from top management yourself, you too need to think about your reasons. Due diligence might be a good reason, however if you only want a(nother) certificate to hang on the wall, I can guarantee that there are easier ways than getting an ISMS. I don’t want to keep anyone from getting certified. However you need to be aware that a functioning ISMS not only needs to be implemented, but also operated. Operation is typically the most difficult part, because the excitement of the project is over.
My recommendation in this phase is to read the standard. If you’re from top management, reading ISO 27001 will suffice. If you’re responsible for security, I suggest you also have a look into ISO 27002 (formerly ISO 17799). I know it’s a boring read (good pillow book if you’re suffering from insomnia), but it will help to determine if an ISMS according to the standard is what you actually want. It will also help you to get a first feeling for how much work it’s going to cause.
Picture of all-seeing eyes by Pulpolux
Tags: Information Security, ISMS, ISO 27001, ISO 27002, Management, Management System, Management Systems, Security, Standards
