First steps to implement an ISMS
BRUSSELS | April 2, 2019: The objective of an Information Security Management System (ISMS) aligned to the internationally recognized standard ISO 27001:2013 is to protect the confidentiality, integrity, and availability of your company data/assets. This will bring more value to the company and more confidence from your customers.
Benefits of an Information Security Management System according to ISO 27001
Some companies may falsely believe that they don’t need a formal ISMS. They may have certain controls already in place or are deploying modern technology to protect themselves from cyber-attacks. However, the benefits of implementing an ISO 27001-compliant ISMS are far greater than many people perceive or realize.
- It encompasses people, processes and IT systems by recognizing that
information security is not just about antivirus software. It also depends on the effectiveness of organizational processes and the people who manage and follow them.
- It helps you to coordinate all your security efforts (both electronic and physical) coherently, consistently and cost-effectively.
- It provides you with a systemic approach to manage risks and enables you to make well-informed decisions on security investments.
- It can be integrated with other management system standards (e.g. ISO 22301, ISO 9001, ISO 14001, etc.) ensuring an effective approach to corporate governance.
- It creates better work practices that support business goals by asserting roles and processes which should be clearly attributed and adhered to.
- It requires ongoing maintenance and continuous improvement. This ensures that policies and procedures are kept up-to-date, resulting in better protection of your sensitive information.
- It gives you credibility among staff, clients and partner organizations and demonstrates due diligence.
- It helps you to comply with corporate governance requirements.
- It can be formally assessed and certified against ISO 27001, providing additional benefits: demonstrable credentials, customer assurance, and competitive advantage.
ISMS – Challenges of the implementation process
As you may already know, a high-level implementation process consists of defining the scope, analyzing the current status of the processes, conducting gap analyses, writing policies and procedures (or aligning the current ones) and at the end approving and integrating those in your company day-to-day activities. Sometimes this integration may take time, depending on the size of the company, on when it has been established and of course on the corporate culture. And sometimes, the employees may not be all in favor of the process.
There are 6 recognized phases for managing cultural changes which almost every company goes through:
- Denial Phase: “They aren’t really going to go through with it”
- Anger Phase: “What a waste of time and money”
- Bargaining Phase: “If they want me to do that, fine, but I won’t have time to do my other duties” or “if they make me do that I’ll resign”
- Depression Phase: “This is really happening and there is nothing I can do about it”
- Acceptance Phase: “Well this is how it is, but things aren’t so bad”
- Moving on Phase: “Actually this new set up is better than the old one and I can make this work for me”
Even if it looks very straightforward at first glance, many companies are making mistakes when trying to decrease their implementation costs by narrowing the scope of measures or neglecting some of the requirements of the standard.
Data protection in our own house: ISMS at your company
To achieve the challenging task of setting up an ISMS, you need to have initial meetings with many business process owners and managers. This is an important step in the implementation because you will get a deeper understanding of the processes, different business specific requirements and, last but not least, the defining interested parties. To organize these meetings, you need to send the meeting requests 2 weeks in advance, due to the fact that people works on many different projects and some of them maybe are on business trips.
Senior Management Support is the key
There is no way how not to mention the fact that one of the essential elements for implementing ISMS is Senior Management support. Based on my experience, I can say that this support will boost the process. How? For example: If in your company there are no physical access controls on the main section doors inside the building, this means that persons from outside could easily enter the building with some pretext that they are going to the HR department or they have a delivery for someone. Once inside the building, they could walk freely without any limitations. Once you install such kind of system, the situation will be much better: Physical access controls have been installed on each section door. Without an appropriate access card, they will not open the doors and walk freely. A little bit more secure, right??
So, without management support, how would you ever be able to implement such security controls? It just doesn’t work!
Partner with Engie Laborelec
ENGIE Laborelec has strong knowledge and field experience on how to assess and implement such processes combined with vast experience in with Industrial Control Systems (ICS). Our team will start to support your implementation project with training, awareness sessions, and workshops. At your demand, we will perform comprehensive cybersecurity assessment, define and implement ISO 27001-compliant policies and procedures, and put in place a continuous improvement cycle supported by internal audits, management reviews, and ISMS metrics.
If you do want to know more about it and have a conversation with our experts?
Email us or use the contact form.