Vendor Risk Management

5 Common Issues In Building An Information Security Management System

Melissa Stevens | August 4, 2016

What is an Information Security Management System (ISMS)?

An information security management system (ISMS) is a structured approach used to better manage your company’s most critical data and information. It can be achieved by adopting an ISMS standard like ISO 27001 or NIST 800-53 and through a certification process. But integrating an information security management system at your organization can be fraught with issues and complexities. Below, we’ve outlined five issues you should avoid while building out your ISMS. 

5 Common Issues When Building An Information Security Management System 

1. You can’t identify your most critical data. This is the number one issue companies face when they set out to create an information security management system. Companies tend to have a difficult time identifying which data is most critical and why, because doing so requires a massive effort from many different areas within the company. 

For example, not all critical data is housed within a company so you must figure out who has access to it. What’s more, once this critical information is identified, the company must determine how to build proper controls that will reduce or eliminate the risk of that data ending up in the wrong hands.

2. Policies aren’t in place for protecting sensitive information. If you expect your employees to act a particular way in regards to your sensitive information, you must have policies in place regarding acceptable use. These policies should answer the following questions:

  • Can employees use public Wi-Fi for work purposes? 
  • Can employees with high-level access view sensitive information in their home offices?
  • Are there limits rules in place on what kinds of files employees download, and where they download them?
  • Is there a removable media policy in place?
  • Are there certain geographic boundaries in place for all technology?

3. Employees aren’t trained in company policies. For your information security management system to work appropriately, you must build a culture of cybersecurity from the top down. Top-level executives must send the right messages about information security in order for other employees to take it seriously — and your internal training processes must go hand-in-hand with that.

4. Technology isn’t implemented for your policies. For example, if your organization has a strict policy against employees accessing sensitive information on insecure Wi-Fi networks, you need to have technology in place to prevent employees from doing so. You can’t simply trust that all employees will pay attention to the policies you’ve created. Having behavioral analytics tools can help you identify when employees are using data outside of their normal activities, which may indicate that either the employee is doing something questionable or their credentials have been compromised.

5. You can’t limit vendor access to sensitive information. It’s important for your third parties to have the access to your data they need in order to do their job. But controlling the amount of sensitive data and network access your third parties have is critical in creating a functional information security management system.

See Also: Vendor Risk: 1 Issue That's Too Critical To Overlook

A Word Of Caution

The problem with information security management systems like ISO 27001 and NIST 800-53 is the sheer size and utter complexity of the frameworks. Most practitioners simply don’t have the time or capacity to get through them — and if they tried, they could be in the weeds for a long time.

The more important question to consider for anyone wanting to build an ISMS system is where their valuable data is located and how they can put the correct safeguards in place to protect that data. This seems to be the questions that far too few companies are asking! So before you try to stick to a framework, be sure you have a very good high-level understanding on information security risk and its importance to your organization.

third-party vendor risk management program

Suggested Posts

Can Your Vendor Assessments Be More Efficient?

If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...


Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...


3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...


Subscribe to get security news and updates in your inbox.