Organizations today are going for a paperless environment. Thus, with businesses becoming digitized, preserving confidentiality (C), integrity (I), and availability (A) have emerged as major concerns. As the environment gets increasingly complex, maintaining C, I and A has become a tedious task. To preserve C, I and A, and to maintain customer confidence, organizations are implementing information security management system (ISMS) as part of the ISO 27001 certification process.
Maintaining an organization’s C, I and A is a continuous process. Hence, merely, implementing ISMS is not enough. Due to the technological advancement, high attrition rates, rising terrorist threats, and regulations, structural and environmental changes are obvious. Risk assessment ought to consider these changes and accordingly devise a risk mitigation strategy.
Lack of commitment can be fatal
While implementing ISMS, everyone in an organization is extremely committed and focused— right from the management to the end users.
However, once the ISO 27001 certification has been obtained, the dedication gradually starts diminishing and the organization begins to follow original practices, prior to being certified as shown in the below graph:
Graph 1 - ISMS Commitment
Most consulting firms today provide help in acquiring ISO 27001certification. However, they rarely comment on post certification activities or managed information security services. Even the organizations are not worried about the sustenance part after implementing ISMS. The commitment starts dwindling due to:
1) The organization’s ignorance about post-certification activities.
2) Management belief that they are secured for life, irrespective of any change. Management’s reluctance to invest money and resources, post certification.
3) Organization’s lack of knowledge on measuring the ISMS level.
It is rightly said, ‘what gets measured, gets managed.’ Hence, if you can’t measure your information security posture, management will be extremely difficult. Identify what needs to be measured, and accordingly develop a strategy.
Sustaining ISMS momentum
After implementing ISMS, it is extremely vital that organizations sustain the information security levels and try to raise the bar. The following best practices should be implemented for sustaining ISMS at the current level.
a) Self assessment at department level (quarterly)
b) Internal audit (bi-annual)
c) External audit (annual)
d) Management review meeting
e) Asset classification, risk assessment methodology review (case basis).
f) Corrective action plan from each of the points mentioned above
g) Develop metrics to measure information security (this can be derived from incident reporting and audit reports)
h) Organize events such as an infosec week for the employees (quizzes, suggestions and presentations)
i) User/department/location level assurance about followed ISMS best practices.
j) Take continuous feedback from employees/interested parties on improving the ISMS posture.
k) End-user awareness training.
Last but not the least, always remember that you can have the most robust information technology infrastructure, policies, and procedures, but if your people are not aware, the entire effort will go down the drain.
About the author: Dhananjaya Singh is an associate consultant for the information security practice at Mahindra SSG. He has an MCP, CISA and ISO 27001 – LA to his credit. Dhananjaya can be contacted on firstname.lastname@example.org.
This was first published in March 2011