Designing and maintaining an Information Security Management System (ISMS) aligned with common standards for information security and cyber security management such as the ISO / IEC 27001:2013, the NIST Cyber Security or SOC2 Frameworks are common for almost all organisations in need of protecting their companies’ and customers’ information. At Alyne we have regularly support our customers through our Software as a Service (SaaS) on this journey and have observed some common challenges and also analysed some success factors:
- Targeting 100%
An ISMS does not mean that I need to reach 100% maturity for every control at the start. It only means I need to have an appropriate management process in place to manage the full scope of the ISMS. This usually means actively managing information and cyber risk and defining appropriate actions or risk acceptances.
- Obsess over technical measures
Often information security management is reduced too much to individual technical measures, because these are easily understandable. What an ISMS teaches us, is that the combination of technical and organisational measures combined through engaged management is what actually increases the security posture.
- Tick the Box
Reducing an ISMS to ticking the box will ultimately fail. Trying to outsource this task from management to another part of the organisation will equally fail. It’s not called a management system for nothing. As management - either take part or don’t start at all.
- Integrate Organically
Make the ISMS part of the regular agenda of interactions you already have with relevant stakeholders as opposed to scheduling new recurring meetings. That way you minimise disruption and leverage existing contact points to formalise outcomes for the ISMS.
- Leverage Framework Synergies
Don’t approach the ISMS in isolation. From a process, people and technology standpoint there is a large overlap with other related topics such as data privacy, operational risk management, BCM, audit and more. Your investment of time and budget is much better spent if you address the ISMS capability in this broader context.
- Solve in Sprint
Carve out some time in your calendar and get a large part of implementing or reviewing the ISMS done in one go over a few days. The overall time spent on the topic is minimised. If these activities drag out over time, you quickly lose momentum.
For further information and to access Alyne’s dedicated ISMS resources aligned to ISO 27001 standards, click here.