Who are the people that should be involved in the ISMS?
Getting the balance of people and technology right is key to meeting all stakeholder’s expectations. Too many people or too much time involved, and it will cost too much or have opportunity costs of those resources not delivering value elsewhere. Not enough people and the ISMS will fail to deliver on its promises, leaving the organisation exposed to the threats, and miss the opportunities identified earlier.
Capacity, Capability and Confidence are the 3 C’s we talk about with customers to ensure that their resources are able to achieve the goals. Typical skills and experiences required for ISMS success include those shown below, where the time required is dependent on the starting point, ISMS goals and the technology solution adopted alongside the people.
- Information security
- Commercial (buy and sell side)
- Change management
As would be expected there is a higher initial investment in the implementation before settling into a pattern of behaviour over time.
Outsourcing some of that work to specialist consultants can make sense and there is a growing market for ‘virtual’ and ‘on demand’ expert support (CISO, DPO etc), usually enabled by good technology as part of the solution too. Internal leadership should still be involved, and the business must have strong representation in its area of scope to reinforce the culture, values and desired ways of working.
If those people involved in the ISMS are ill equipped or lacking Capacity, Capability or Confidence they can be supported with sustainable and affordable technology, not just more people. Technology solutions such as ISMS.online also offer virtual learning, and pre-configured documentation that is easy to Adopt, Adapt and Add to as it complements the technology platform features, helping drive down total cost and speed time to ISMS success.
An ISMS delivers a positive return on investment. The goal of our whitepaper is to show you why, what, and how you can get RoI from an ISMS that fits the business needs.
The key considerations when building the business case for an ISMS?
- 1Building the business case for an ISMS
- 3The Challenge is Growing
- 4Three Reasons Why Nothing Happens
- 5Planning the business case for an ISMS
- 6A Point on People
- 7In Considering The Technology
- 8What is an ISMS?
- 9Understanding the Components of an ISMS
- 10The People Involved in the ISMS
- 11Why Do Organisations Need An ISMS?
- 12Is Your Organisation Leadership Ready to Support an ISMS?
- 13Developing the Business Case for an ISMS
- 14Achieving Returns from the Threats and Opportunities
- 15Stakeholder Expectations for the ISMS given their Relative Power and Interest
- 16Scoping the ISMS to Satisfy Stakeholder Interests
- 17GDPR Focused Work
- 18The Return on Investment from Information Security Management
- 19Doing Other Work for Broader Security Confidence & Assurance with Higher RoI
- 20Build or Buy – Considering the Best Way to Achieve ISMS Success
- 21The characteristics of a good technology solution for your ISMS
- 22Whether to Build or Buy the Technology Part of the ISMS
- 23The Core Competences of the Organisation, Costs and Opportunity Costs
- 24Evaluating The Threats
- 25Identifying The Opportunities
- 26Work To Get Done for ISO 27001
- 27In Conclusion