What are the components of an ISMS solution?
As touched on earlier, the main components of an ISMS are summarised in the image. The solution is comprised of two main investments to bring it alive:
The real size of these pie slices, in terms of time and cost, is all dependent on the objectives, the starting point, the scope of jobs to include in the ISMS, and the organisation’s preferred way of working.
Investing well in one slice will help reduce or avoid much larger investments of people or technology in the other slices especially when looking at a whole life cost basis.
Whilst ‘content’ (your policies and controls documentation) is very important, it’s only one component of an ISMS and there are many pitfalls to avoid.
- Purchasing low-cost generic policy documentation may give you a bunch of cheap policies but they will not be ‘actionable’. They may even encourage unnecessary work for your organisation.
- Consultants who do the implementation their way without understanding your business practices, or not sharing ‘the secret sauce’ so you have to use them forever, nor aligning it to recognised standards.
- Failure to consider the whole life consequences beyond implementation e.g. dropping spreadsheet documents into a Google folder or Sharepoint style technology system but not considering the ongoing management, coordination, reporting and control requirements for everyone involved.
These approaches will cost much more in the long run, or have big opportunity costs, so consider a total cost of ownership, not just the initial implementation.
An ISMS delivers a positive return on investment. The goal of our whitepaper is to show you why, what, and how you can get RoI from an ISMS that fits the business needs.
What are the key considerations when building the business case for an ISMS?
- A growing challenge
- Three reasons why nothing happens
- The return on investment from information security management
- A point on people
- In considering the technology
- What is an ISMS?
- What are the components of an ISMS?
- Why do organisations need an ISMS?
- Is your organisation leadership ready to support an ISMS?
- Developing the business case for an ISMS
- Benefits to realise – Achieving returns from the threats and opportunities
- Evaluating the threats
- Identifying the opportunities
- Stakeholder expectations for the ISMS given their relative power and interest
- Scoping the ISMS to satisfy stakeholder interests
- GDPR focused work
- Doing other work for broader security confidence and assurance with higher RoI
- Work to get done for ISO 27001:2013/17
- Build or buy – Considering the best way to achieve ISMS success
- The people involved in the ISMS
- The characteristics of a good technology solution for your ISMS
- Whether to build or buy the technology part of the ISMS
- The core competences of the organisation, costs and opportunity costs
- In conclusion