By Julie Kendall
Last time we discussed in more detail the ISO 27001 standard for ISMS. As we wrap up our four-part series today, we’ll discuss what is needed to implement a successful ISMS framework.
What does it take to implement an effective ISMS framework?
First and foremost an Information Security Management System framework such as ISO 27001 can only be effective if executive level management support is unwavering, consistent and ongoing. Without top management buy in and commitment to support a ISMS framework you cannot expect your ISMS to be fully effective.
A centralized direction for all, clearly defined organizational responsibilities related to information security, and resource commitments in staffing and funding is required to ensure the approach to protecting sensitive information assets will be consistent and predictable. Trying to manage such sensitive assets by only relying on personal initiative is asking for trouble.
Information security should also be an integral part of an organization’s overall risk management process. Just as assessing the impact competitors is important for your company’s potential sales, assessing the impact on revenues if customers believe their sensitive data is not well protected is just as important to an organization’s success. Information security objectives must be related to business objectives and the control choices made by management must be based on a cost/benefit analysis so as to ensure the right resourcing and focus is going to the most vulnerable areas associated with sensitive information.
An information security management system must also enable people to do what they need to in a controlled and predictably safe manner. An ISMS is not effective if its implementation stops people from meeting their business objectives or does not provide management any assurance the activities done by staff are predictably safe.
An effective ISMS must also account for continuous improvement and ongoing evaluation. Business, like life, is ever changing and what works today may not be good enough for tomorrow. The ISMS framework should allow management a formal and regular means to determine if change in the control environment protecting sensitive information is necessary. This assumes regular control evaluations related to information security must be performed and the results analyzed by management so decisions and resources needed to affect change can be done expeditiously. Changes in business objectives and directions, economies, competition, customer satisfaction all contribute to the need to re-evaluate the ISMS for your organization and adjust as needed. New technologies, changes in trading partner needs, previously unknown vulnerabilities all require an organization to re-assess their risk profile as it relates to information security and business overall.
If your digital information is considered a valuable asset to your organization, you need to implement an Information Security Management System to safeguard those assets. Adoption and implementation of an effective, efficient information security management system framework like the ISO 27001 ISMS framework is cost effective and a ‘dollar worth spending,” before your data is lost or damaged.
For assistance in identifying gaps in your information security efforts and what steps you should consider implementing to become compliant with ISO’s 27001 standards, please contact KAI Partners by email info@kaipartners.com. We can help you address the risks associated with information security risks and train your staff to minimize your IS risks.
About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.