New to information and cyber security?

 
 

Are you thinking about improving your information security posture, or been advised to do it by a well meaning customer to win or retain their business?  Perhaps you are confused about jargon like ISMS or ISO 27001, and the options around doing something?  If you're wondering how it all fits together or what to do first then let's get you started...

 

What is an ISMS?

 
What's an ISMS?
 
 

An

Information Security Management System

describes and demonstrates

the organisation’s approach to Information Security.  

It includes how people, policies, controls and systems identify, then address the opportunities and threats revolving around valuable information and related assets.

 
 

Cyber security is all about addressing technology led threats.  Effective cyber security solutions are part of the broader ISMS. 

 

There are good reasons to invest in an ISMS

 
 
 

The facts speak for themselves...

  • Over 70% of small organisations reported cyber compromises in 2015*
     
  • The average cost of a security breach is £1.46m - £3.14m to a large organisation, and £75k - £311k to a small business*  

  • 28% of the worst security breaches were caused partly by senior management giving insufficient priority on security*
     
  • The greatest inhibitor to defending against cyber threats continues to be low security awareness among employees with 50% of the worst breaches in 2015 caused by inadvertent human error*
     
  • Organisations face fines up to 4% of global turnover for a breach (under EU GDPR in 2018)
     
  • Suppliers will not get past basic customer evaluation criteria without effective information security credentials so there is little chance to grow a business
     
  • Done well, an ISMS will help your organisation improve and grow

 
 

 

What's included in an ISMS? 

An effective ISMS is made up of 6 elements, as illustrated below.  The real size of the pie slices in terms of time, cost etc is all dependent on your objectives, your starting point, the scope you want to include in your ISMS, and your organisation's preferred way of working.  

Investing well in one slice will help reduce or avoid much larger investments in the other slices. But beware the pitfalls, such as following the cheap policy documentation route as it will cost you much more in the long run.

 
What is included in an ISMS

 

Trusted ISMS follow recognised standards...

There are different levels of information and cyber security maturity along with different standards you can achieve to evidence compliance.  Those standards might be dictated by the nature of your business, its goals or your customer expectations. Whatever your requirements, there is a proven approach to follow so there is no need to make up your own!  

Examples of recognised standards include...

 
ISO 27001 certification
PCI:DSS compliance
Cyber Essentials certification
 
NIST certification
SSAE16 certification
 

 

Step in your customers shoes  

Which supplier's approach to information security would you choose to protect your valuable information?

 

No systems, policies or technology to support information or cyber security management

2

Some information security related policies but not structured as a system or following any particular standards

3

Meeting the requirements for basic information security management e.g. with Cyber Essentials

4

Self certified compliant but not independently accredited ISO 27001:2013 based ISMS

5

UKAS independently accredited ISMS meeting ISO 27001:2013

 
 

Whilst achieving level 5 costs slightly more initially, the return from that investment is going to be much higher.  You'll be better protected from threats that might destroy your business, and prospective customers are much more likely to embrace your services. Your investment will be a fraction of the cost from winning and retaining business, or paying out from the costly breach

 

 

How to get it done

In considering 'what' to do, you'll also be considering 'how' to do it as well.  Whether you take a DIY approach, or bring in others to help, those 6 pieces of the pie will need investment for ISMS success.

 

Why consider our powerful cloud software?

Your focus will be on growing your business, not spending time developing the tools and technology to manage an ISMS. After all, the opportunity cost of losing focus, or spending longer than necessary, could be expensive.

There were no attractive solutions when we started and it's why we built ISMS.online.  Now you can benefit too. We'll equip you for success at a fraction of the cost and time of alternatives or you trying to build it yourself.


We make it simple

It's easy to to build your ISMS using our software solution. ISMS.online facilitates effective project management and improved results with everything you need for success in one secure online environment.

Read our case study to discover how a leading market research company made the change and immediately saw their implementation accelerate to a successful ISO 27001 certification.

We achieved more in 3 months with ISMS.online, at lower cost, than we did in 18 months previously
— Alex Batchelor COO

ISMS.online capabilities include:

1. A simple to use ISMS, all in one secure online environment that makes management easier, faster and more effective

2. Adopt, Adapt, Add actionable policies & controls approach to easily describe and demonstrate your ISMS

3. Simple, effective engagement and awareness for your staff to complement existing ways of working

4. Integrated management of the supply chain to demonstrate end to end assurance and integrity

 

 

Ready to learn more?

 
 

Watch our free webinar

Build on what you learnt above by watching a more comprehensive seminar on the topic.  

Learn what it takes to implement an ISMS along with our tips for success. 

 
 

100% Privacy, 0% Spam


* The Government Information Security Breaches Survey 2015 and a range of other recent reports on the subject.