What is an Information Security Management System (ISMS)?
An information security management system (ISMS) is a structured approach used to better manage your company’s most critical data and information. It can be achieved by adopting an ISMS standard like ISO 27001 or NIST 800-53 and through a certification process. But integrating an information security management system at your organization can be fraught with issues and complexities. Below, we’ve outlined five issues you should avoid while building out your ISMS.
5 Common Issues When Building An Information Security Management System
1. You can’t identify your most critical data. This is the number one issue companies face when they set out to create an information security management system. Companies tend to have a difficult time identifying which data is most critical and why, because doing so requires a massive effort from many different areas within the company.
For example, not all critical data is housed within a company so you must figure out who has access to it. What’s more, once this critical information is identified, the company must determine how to build proper controls that will reduce or eliminate the risk of that data ending up in the wrong hands.
2. Policies aren’t in place for protecting sensitive information. If you expect your employees to act a particular way in regards to your sensitive information, you must have policies in place regarding acceptable use. These policies should answer the following questions:
- Can employees use public Wi-Fi for work purposes?
- Can employees with high-level access view sensitive information in their home offices?
- Are there limits rules in place on what kinds of files employees download, and where they download them?
- Is there a removable media policy in place?
- Are there certain geographic boundaries in place for all technology?
3. Employees aren’t trained in company policies. For your information security management system to work appropriately, you must build a culture of cybersecurity from the top down. Top-level executives must send the right messages about information security in order for other employees to take it seriously — and your internal training processes must go hand-in-hand with that.
4. Technology isn’t implemented for your policies. For example, if your organization has a strict policy against employees accessing sensitive information on insecure Wi-Fi networks, you need to have technology in place to prevent employees from doing so. You can’t simply trust that all employees will pay attention to the policies you’ve created. Having behavioral analytics tools can help you identify when employees are using data outside of their normal activities, which may indicate that either the employee is doing something questionable or their credentials have been compromised.
5. You can’t limit vendor access to sensitive information. It’s important for your third parties to have the access to your data they need in order to do their job. But controlling the amount of sensitive data and network access your third parties have is critical in creating a functional information security management system.
See Also: Vendor Risk: 1 Issue That's Too Critical To Overlook
A Word Of Caution
The problem with information security management systems like ISO 27001 and NIST 800-53 is the sheer size and utter complexity of the frameworks. Most practitioners simply don’t have the time or capacity to get through them — and if they tried, they could be in the weeds for a long time.
The more important question to consider for anyone wanting to build an ISMS system is where their valuable data is located and how they can put the correct safeguards in place to protect that data. This seems to be the questions that far too few companies are asking! So before you try to stick to a framework, be sure you have a very good high-level understanding on information security risk and its importance to your organization.
