We’ve covered a lot of ground since this series of security articles was first posted. Here’s a reminder of the main topics we’ve explored:
- Information Security Management System and How to Start
- Framework Focus
- Organisation Management
- Asset Management
- Information Management
- Access Control
- Physical Security
- Use of ICT Systems
- ICT Operational Management
- Software Development
- Human Resources
- Third Party Relationships
- BCP and DRP
As was stated way back at the start of this series – security involves attempting to avoid the many situations that can have impact on one, or some, or all of the things that make up your information technology solution.
Each of the individual posts outlined one group of measures to be considered in the creation of an ISMS to handle your security requirements. The sum of these articles provides an overview of the most obvious areas that will need focus. However, they did not provide absolute detail on what should be in place; the articles were designed to prompt your thinking on the topics as they apply to you. The actual solution will depend on your technology environment and how you operate within it.
Given that much of what was included is based on the recommendations of ISO/IEC 27002, there is wriggle room for what you choose to implement and how. In truth, building a framework that includes all of the recommendations is probably more suited to large organisations who need to deal with legislative requirements or align with customer compliance demands. However, in theory, all of the recommendations are valid for any organisation, as long as they are cut to suit the shape and size of the environment.
Where to from here?
As with any framework, there are many elements in an ISMS that probably wouldn’t be appropriate for everyone. The point here is you have to pick what works for you. The key is to adopt a mindset similar to what is implied by 27002 – exercise good common-sense in relation to protective measures and policies that are relevant for you. And don’t underestimate the need to spend time building awareness of security within your organisation. Keeping your information and technology systems secure is the absolute team game!
Finally, every organisation considering implementing an ISMS needs to make a decision on the benefit vs the cost of implementation. If the cost seems too high, think about the cost/impact a major security incident would have on you, then evaluate it again!
Above all, don’t do nothing.
And start now, not later!
If you need assistance with this topic,
or advice on any other aspect of what we do,
feel free to contact us using this button.