Ensure your ISMS delivers long after the last unwanted gift has been discarded
Sensible CTO’s have been compiling their Christmas lists for some time.
There’s no time quite like the start of a new year to set business objectives and goals and embark on fresh projects that will bring about positive business improvements.
And, with security incidents now costing UK organisations an average of £2.6million, up 53% from 2015*, what better reason for placing information security at the top of the agenda in 2017.
Of course, some CTO’s will already have been set the challenge of achieving ISO 27001 in 2017.
Others will simply want to follow established information security frameworks to build their ISMS, knowing that improved business processes will lead to improved cyber security.
All will be painfully aware that they have only until May 2018 to be fully compliant with EU GDPR.
Whatever the reason, an effective ISMS is a good one to add to the Christmas wish list as it’s sure to demonstrate results for multiple stakeholders and, delivered correctly, will elevate you to shining star status for the organisational benefits it delivers.
However, how will you make sure your ISMS has longevity? Remember… an ISMS is for life not just for Christmas!
Here’s our tips for building an easy to maintain ISMS that will continue to manage the protection of your valuable information security assets and help you win new business too
Gain board level support early: An information management system will only be effective with the full and active support of the board. Prepare your argument in terms of costs, return on investment, risks, threats and opportunities and give the confidence that your ISMS will include the metrics by which you, and the board, can easily measure its success.
Follow a recognised ISMS framework: Why waste time creating your own? ISO 27001 is the internationally recognised best practice standard. Look for a UKAS accredited software solution that not only includes this and other frameworks but also accredited, pragmatic policies that you can easily adopt, adapt or add to for a time-saving head-start.
Set realistic timescales: As with any project, setting challenging timescales which are achievable will ensure you don’t lose momentum. Whilst it may be tempting to allow a long lead time, to ensure it doesn’t impact negatively on your day-to-day operation, the commitment and impetus can be lost if execution is too slow. Assigning tasks with due dates will help everyone stay on track and being able to view progress against your timelines will help you manage the project successfully.
Use lean and agile management methods: Commitment to your ISMS will rely significantly on the level of resource and management time needed. Simplifying and streamlining the process using ISMS management software will dramatically reduce the resource needed, not just in implementation but also in ongoing, management and reporting.
Consider & prepare for EU GDPR now: EU GDPR will have an impact on how you shape your information security policies and controls. Consider a software solution that incorporates a framework that helps you prepare for EU GDPR and with tools that help you manage the required processes. Remember, you must be compliant by May 2018.
Beware of pre-populated risk assessment software: As with policy templates, there is a danger in using someone else’s evaluation of risk. Risk management software is purely a tool that should simplify and improve the process, allowing you to apply your unique set of criteria to securing all of your information assets. Many tools on the market still address risk in turns of physical assets and not information assets as called for in the 2013 standard. Look for risk management software that easily allows you to identify, analyse, evaluate and treat each risk and gives you the policy that describes the methodology.
Live the ISMS: There is little value in an information security certificate itself, more in the strategy and processes it engenders. The correct set of management tools will ensure your ISMS becomes a seamless and integral part of your business processes and not a bureaucratic manual that restricts normal business activities.
Create a culture of continuous improvement: The ISO 27001:2013 standard incorporates the concept of continual improvement. Involving staff in the process of continually improving information security promotes engagement. Again, having a software system that helps to facilitate this will ensure your ISMS remains relevant and continues to be a business enabler.