Monday, February 24, 2020

10 Thumb Rule to consider before implementing an ISMS - IS0 27001

10 Thumb Rule to consider before implementing an ISMS - IS0 27001

With organisation adapting and embracing Cyber Security either as part of Information Security hygiene or  by compliance, organisations are finding it difficult to evaluate the right  implementation partners for Information Security Management System otherwise known as ISMS - ISO 27001:2013.
The challenge that most organisation face is that they just rush in to the project of implementation without even knowing the amount of work involved and the quality of contribution that they need to do in order to achieve a basic Information Security Framework. 
Having worked with quite a good number of organisations, where the project has derailed due to lack of information or expertise from the implementation consultant mostly (single person dependent), the following thumb rule might organisation to decide on the right approach towards implementation of ISMS for their organisation.
  • Approach a professional organisation and not an individual. The dependency on the individual by itself is a high Risk issue. The Information Security Management System must cover aspects of People, Process and Technology. Most professional individuals are handicapped when it comes to Technical evaluation.
  • Get away from the concept of mere policy and procedure suffice for ISMS certification. It is a mis-concept that has been promoted and prevalent in the market. One size doesn’t fit all. 
  • Organisation are unique in the way they offer their products, services and solutions. Each organisation must evaluate their internal and external stakeholders and perform a robust Risk Assessment. Risk Assessment is the core of arriving what is applicable for the organisation when it comes to Information Security Management System. Most often the Risk Assessment of one organisation is copied and pasted and used for other organisation by technically challenged individuals. 
  • Select an organisation who is technically capable in evaluating the current technical controls on Information Security. Having a checklist to identify the weakness wouldn’t suffice. 
  • Organisation should do due diligence prior to selecting the ISMS implementation partner. Check for organisations who have experience in Vulnerability and Threat Assessment, Secure Monitoring, Fraud Detection and Incident Response.etc.
  • Look for implementation partners who have experienced Lead Auditors & Cyber Security technical security Analyst. Ask for the Project management and Delivery approach of ISMS implementation.
  • Conduct due diligence to check if the ISMS professionals are part of the Payroll of the Service providers or just a part time freelancer who are just deployed as a stopgap arrangement. Look for credentials and credibility.
  • Consider a realistic timeline, however small and organisation may be, a good ISMS implementation which is mandated by ISO 27001:2013 standard takes away between 12 to 16 weeks per site. In the event of multiple sites, the schedule varies accordingly. 
  • Organisation must not think that this is IT function responsibility. Even though they are valuable contributors, it should be understood that all functions involved in the ISMS framework are contributors as well.
  • Organisation must always engage a third party Certification Body and shall not use the same implementation partner to award certification. As part of best practice principle, identify separate ISMS implementation partner and exclusive Certification Body to award certification for the implemented.

Information Security Management System, ISMS Implementation may look highly complicated, but by choosing the right partner for ISO 27001 vendor assessment their effort becomes less cumbersome and more professional. At the end of the day, Cyber Security matters. A wrong approach or a mis-understood scope might prove futile during the evidence gathering stage thus leading to delay in certification process or probably repeat the entire exercise from Start. It is about time that organisation serious think and bring the culture that mere certification hanging on the wall is no longer acceptance, but practice and promote the Cyber Security Culture within the organisation and also propagate to other partners such as Information Security Services working along with the organisation as well.
Conclusion

Accomplishing and keeping up the ISMS Implementation and Assessment in IARM Information Security delivers highly best
optimal solutions to your setbacks. We have a dedicated team of Certified ISMS Experts to implement a ISO 27001:2013 standard
framework in the organization. Our Experts are best in ISMS Consultancy & Implementation, ISMS Assessment, ISMS Auditing,
ISO 27001 controls, ISO 27001:2013 Information Security GDPR.

Thanks and Regards
Priya



No comments:

Struggling with Credential Exploits in SaaS? SOC Outsourcing Can Help

In today’s digital landscape, Software-as-a-Service (SaaS) applications are integral to business operations. However, their popularity has m...