By Julie Kendall
Last time, we brought you some facts and figures related to information breaches and their associated costs. Now we’ll get into more detail about why an ISMS is important to your business.
Even with the obvious evidence of significant increase in reputational risk organizations experience in their marketplace when an information security breach occurs, many executive teams still find it difficult to allocate sufficient funds and resources to Information Security consistently.
Some executive management teams expect IT to decide “what resources are necessary” to protect their information and to do it within the existing IT operational budget. Managing information security and its associated risks requires the active participation by all major players in a company because the risk profile of the entire organization is impacted. IT alone can’t make that decision independent of the rest of the organization. All business management must take the lead on assessing IS risks and deciding the appropriate controls to implement to manage those risks. After all, it is the business side that actually owns the data. IT will certainly enable the mitigation strategies, but it is business management that must determine the acceptable level of risks to manage, assume, or transfer.
Why is an ISMS important?
The implementation of a risk-based information security management system (ISMS) framework within an organization is absolutely critical because businesses today rely heavily on their digital data to operate. Management must define a set of information security policies and processes to be followed by all members of their staffs, and implement mitigation solutions to manage the identified risks associated with those assets. The lack of a clear guidance from management on how to mitigate the information security exposures they face regularly can result in inefficient and ineffective actions by their employees. This then can lead to the likelihood for significant loss when unmitigated vulnerabilities are exploited.
Next time we’ll discuss the ISO 27001, an internationally accepted risk-based information security management standard—stay tuned!
For assistance in identifying gaps in your information security efforts and what steps you should consider implementing to become compliant with ISO’s 27001 standards, please contact KAI Partners by email info@kaipartners.com. We can help you address the risks associated with information security risks and train your staff to minimize your IS risks.
About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.