Following a regulation such as GDPR alone will mean there will be a range of work that you will need to get done. This is listed below:
1. Information you hold:
- Personal data inventory and understanding of information flows internally and externally through the supply chain.
- Records processing tracker to demonstrate the privacy and security controls in place.
2. Risks: Confidentiality, Integrity, Availability (CIA)
- Identification & evaluation of risks based on CIA.
- Ongoing management of risks. Includes demonstration of work being done to them including putting policies and controlsin place as well as regular reviews of risks to tolerate, terminate or otherwise address.
3. Policies and Controls Management:
- Individuals rights and privacy policies & controls based on the risks.
- Information securitypolicies & controls based on the risks.
- Aligning of policies and controlsto recognised standards, certifications and regulations frameworks (where required to meet powerful stakeholder expectations)
- Regular reviews of policies & controls, and demonstrating these have taken place.
- Evidencing the consideration of recommended policies & controls to follow recognised frameworks and checklists such as those issued by the ICO, ISO and others.
4. Assessments and Requests to ensure privacy & security by design:
- Legitimate Interest Assessments
- Data ProtectionImpact Assessments
- Subject Access Requests
- Rights to object, restrict processing and be forgotten
5. Incidents and BCP:
- Security Incident Management(including events and weaknesses)
- Business ContinuityPlanning and implementation management
6. Staff engagement:
- Communications & awareness around privacy and information security – planned and as needs arise
- Dynamic & continuous compliance as the organisation changes its policies, controls and practises.
7. Supply Chain:
- Communications & awareness around privacy and information security – planned and as needs arise
- Dynamic & continuous compliance as the organisation changes its policies, controls and practises
- Contracts, contacts and relationship management
- Beyond suppliers into go-to-market partners and others with access to personal data.
8. Whole System Coordination and Assurance:
- Reporting and monitoring of the ISMS performance
- Audits and regular reviews with recommendations & resolutions
- Evidence based working and integrity of the whole system
- Visibility of progress and status at all times
An ISMS delivers a positive return on investment. The goal of our whitepaper is to show you why, what, and how you can get RoI from an ISMS that fits the business needs.
Build your business case for an ISMS
What are the key considerations when building the business case for an ISMS?
- Context
- A growing challenge
- Three reasons why nothing happens
- The return on investment from information security management
- A point on people
- In considering the technology
- What is an ISMS?
- What are the components of an ISMS?
- Why do organisations need an ISMS?
- Is your organisation leadership ready to support an ISMS?
- Developing the business case for an ISMS
- Benefits to realise – Achieving returns from the threats and opportunities
- Evaluating the threats
- Identifying the opportunities
- Stakeholder expectations for the ISMS given their relative power and interest
- Scoping the ISMS to satisfy stakeholder interests
- GDPR focused work
- Doing other work for broader security confidence and assurance with higher RoI
- Work to get done for ISO 27001:2013/17
- The people involved in the ISMS
- The characteristics of a good technology solution for your ISMS
- Whether to build or buy the technology part of the ISMS
- The core competences of the organisation, costs and opportunity costs
- In conclusion
We’re more affordable than you’d think