Autor: Graeme Parker
Managing Director of Parker Solutions Group PECB
1: Organizational Context
So, a lot of people talk about implementing an ISMS and often think that’s an extremely complex thing to do, but actually there are a number of key steps which will allow you to very quickly to get your ISMS of the ground, within a 10 day period. Then, following on from that you really need to then to embed that in the organization – the organizations culture. The first step to success really is to understand what we call a context of your organization and that simply about taking some time to understand the kind of products and services you offer to your customers and understand the kind of risks in your organization so that you can actually build your ISMS in the right path of your business and protect those processes that really do need to be controlled from a security point of view.
2: External Organizational Context
Once you have an understanding of the internal context and those important business processes an assets and so forth, you then need to take a look at what’s going on outside of your organization; what kind of legislation applies to your business from a security point of view, what sort of threats and risks do you face from the outside. So if you got intellectual property, would your competitors be interested in that intellectual property, would cyber criminals be interested in that kind of data you have, so you get a very good understanding and from there you can set up about writing your ISMS scope. An ISMS scope is absolutely critical. If you start with a fairly small scope you can then implement an ISMS quite quickly and then over time your strategy could be to grow the ISMS from there.
3: Information Security Policy
Once you have understood the scope and exactly where in your organization you’d ’like to start implementing your ISMS, the next thing really is to ensure that your management fully understand your strategy, then the benefits behind this, and there are a number of things that we can do and of way of showing that management commitment is putting together a clear information security policy and in that policy, that’s where you’re going to state what your ISMS is trying to achieve, .i.e. the objectives and indeed, you should have a number of objectives that are both focused on Security but also in the commercial benefits that your ISMS can bring.
4: Management Approval
Clearly, once you have put that policy together, as I said, this is when you really convince management and often many organizations, one of the best ways to convince management here is that actually implementing proactive processes can actually believe it or not reduce your costs. You can reduce your costs by understanding the kind of risks you are facing, understanding the business processes and often when you do, you often find many opportunities for increased efficiency savings, you can reduce the costs of potential security breaches going forward. But, the biggest thing, I think a lot of organizations see when they are certified to something like ISO 27001; they become recognized by their customers as actually taking Cyber Security and Information Security seriously. So, with those messages, the next step is to get that management sign of approval so everybody knows that is driven from the top of your organization.
5: Risk Assessment
A little bit earlier on we said that you start at the beginning by understanding the context and starting to think about some of the risks and where they might come from – risks to your information security. The next step really is to agree the process of how you are going to actually assess those risks and unware them up and consider what your most significant risks are. A lot of organizations get very scared of this because there are many complicated and in-depth risk assessment methods out there, but actually if you are looking to get an ISMS of the ground quickly there is nothing to stop you to starting the basic methodology, just coming up with some risk scenarios and the way I tend to do it is ask the question well, you know; “Where are the threats coming from?”, “Who is out there who might want to compromise our information, steal our information?”, and so forth. What kind of techniques might they use? , and there is usually a number of contenders whether it be insider fraud risks, whether it be a text from cyber-criminal groups, whether it be competitors and so forth. I mean very quickly just through a simple brainstorming session identify those potential sources of risk and then a simple case of having some kind of skill to whelp the likelihood of those scenarios coming true and the level of potential damage that can be done. There are a quite a number of simple-easy to understand methods out there, that will at least get you started. Now when you do CASS, obviously you can become more sophisticated and dig deeper into these risk scenarios, but from now to get the ISMS of the ground, within the 10 days that we are talking about, this is a great place to start.
6: Risk Treatment Plan
Once you understand the risks that you are facing, you can then work with your colleagues in your organization to design or come up with something called ‘Risk Treatment Plan’. Quite simply, a risk treatment plan is just laying out for each of those, whether you feel those risks will be acceptable to the organization or whether you can actually take some kind of action to perhaps reduce those risks or at least manage them to a level that both the organization and the management are comfortable with.
7: Risk Measures
Once you have your risk treatment plan together, so you have decided what actions you are going to take, if you look at Annex A of ISO 27001, at first when you are looking to do this it can be very overwhelming – there’s 114 security controls in there. But, the good news is, it’s not mandated that you shall simply implement each and every one of them. What you do is you take a good look at those security controls and you choose the ones that are relevant to your organization based on the Risk assessment that you did earlier.
8: Statement of Applicability
Once you have identified what those security controls are, simply what you do and you can use a simple spreadsheet approach to do this – you can document all of this in a Statement of Applicability. The Statement of Applicability simply says: “Which of those controls you are implementing and why?” and “Which controls you’ve chosen not to implement?” If you chose not to implement controls, it’s very important that you can justify that and state why, and really for me, when you deciding which of these controls are required it comes back to three or four different things. Those things are: 1. Is there a risk that you need to manage (in which case you select a control? 2. Is there a legal requirement to implement the control (certainly when you look at things like data protection regulations and GDPR that is coming up this has a certain requirements for controls)? 3. Is there a regulatory reason for the control? (perhaps if you are processing credit card data you’ll have demands from PCI DSS and things like this) 4. Or is there a contractual obligation from your customers (Who might ask you to implement certain things such as responding to an incident within a certain timeframe)? So these are some of the things that you might consider. Of course, what we do know is; a lot of organizations, when you look at their security they’ve probably implemented many of the controls from the ISO 27001 already. You might call those your best line controls as well so it’s also worth looking at what you already have in place.
9: Perform Internal Audit
Once you have took the steps you have your controls in place, the next process that we need to design is part of getting your ISMS out of the ground is the internal audit process. Simply what an internal audit process is to allow somebody else in the organization or perhaps outside the organization to have an independent review of your management system. Again, we can do that fairly quickly if you start with a small scope, we can get the audit team to look at certain parts of your ISMS. What’s important is those people that perform the internal audit are independent in the work being done. So, in other words they’re not auditing parts of the management system that they are responsible for or are involved with and that those individuals are competent. So, how would you define whether somebody is competent to do your internal audit? Well, perhaps you could look at things like their experience, their certifications, things like ISO 27001 Lead Auditor, certainly give an idea as to whether those auditors are competent. So, once you’ve sourced your competent auditors you can very quickly put together an audit program.
10: Management Review
The final step in the chain of the process is that you need to establish relate to what we call a management review. So, once you’ve took your time to identify your risks, implement your controls, and also check if these controls are working, and you’ve done your internal audit, the final step really is to then work with senior management to understand whether the ISMS is achieving of what you’ve set out for it to achieve and then to really identify where you go from here in terms of your security strategy. I think the key thing to stress will all of those points is that these are the simple processes that you need to design to get an ISMS open and running. To get real benefit from your ISMS is not just about certification, is not just about doing what you need to do to get through the audit. There is a lot of work from here to do in terms of embedding these processes, raising awareness, getting people in your organization familiar with what their role is from a security point of view and having a long-term strategy to achieve your objectives. But the 10 steps we’ve just talked about are a great way of starting the project and getting something together in your organization.