Why is Leadership Support Important to an ISMS?
Elizabeth Denham is the Information Commissioner for the UK Supervisory Authority leading on GDPR. She is on a mission to move UK PLC away from ‘tick box’ security and privacy to embedding it into the fabric of organisations.
We echo that vision. Regardless of the business case benefits in theory, if leadership don’t believe in security and privacy benefits themselves, it’s unlikely to be a success in practice. More visibility in the business case benefits and treating an ISMS like any other investment is a great way to help bring leadership onside, and this document will help with that planning.
It’s also likely there are already pockets of good information security and privacy practice, tacit or explicit. It’s unusual to be starting from zero so finding the hero leaders with good habits is a sensible place to build on and get them to model the new behaviours for all.
The organisation also needs to decide the specific outputs from investing in an ISMS e.g. whether to get an independent certification for a recognised standard like ISO 27001 from a body like UKAS. To a large degree that may be driven by the external forces such as your powerful stakeholders expectations, competitor points of differentiation and the requirements of being in the market and the value at risk from your current ways of working. These are all considered in more depth as part of developing the business case for an ISMS. An ISMS delivers a positive return on investment. The goal of our whitepaper is to show you why, what, and how you can get RoI from an ISMS that fits the business needs.
What are the key considerations when building the business case for an ISMS?
- Context
- A growing challenge
- Three reasons why nothing happens
- The return on investment from information security management
- A point on people
- In considering the technology
- What is an ISMS?
- What are the components of an ISMS?
- Why do organisations need an ISMS?
- Is your organisation leadership ready to support an ISMS?
- Developing the business case for an ISMS
- Benefits to realise – Achieving returns from the threats and opportunities
- Evaluating the threats
- Identifying the opportunities
- Stakeholder expectations for the ISMS given their relative power and interest
- Scoping the ISMS to satisfy stakeholder interests
- GDPR focused work
- Doing other work for broader security confidence and assurance with higher RoI
- Work to get done for ISO 27001:2013/17
- Build or buy – Considering the best way to achieve ISMS success
- The people involved in the ISMS
- The characteristics of a good technology solution for your ISMS
- Whether to build or buy the technology part of the ISMS
- The core competences of the organisation, costs and opportunity costs
- In conclusion