What is an Information Security Management System (ISMS) and Why You Need It?

Information security is the number one priority for any company. Unfortunately, as technology advances, so do hacking tools. In April 2020, over 500K credentials of Zoom accounts were found for sale on the dark web and that’s just one example of how easily user data can be leaked. As for the costs of data leakage, IBM reports that the average global cost of a data breach is about $3.86 million. 

So what can a company do to secure itself against possible threats? The answer is implementing an ISMS.

What is an ISMS?

An ISMS stands for Information Security Management System. However, it is not a ready digital solution that you can purchase and implement immediately. Instead, it is a framework of policies and security controls for managing risks and threats and you need to come up with these policies yourself. Of course, there are many available specifications and guidelines (ISO 27001 being the most well-known one) that can help you design a solid ISMS. 

ISMS is critical for any organization that works with personal/sensitive data as it helps secure it, minimize possible risks, and mitigate internal and external threats. Here is a list of all the benefits that ISMS brings to an organization:

• Security of data storage and management;
• Better resilience for possible attacks;
• Prevention of risks happening by timely identifying and eliminating them;
• Timely and effective responses to evolving threats;
• Protection of CAI: confidentiality, availability, and integrity of data.

By now, you are probably thinking: how do I implement an ISMS? We will answer that question but first, you need to understand whether your company really needs it.

What companies need a formalized ISMS?

It is a common misconception that only IT companies need to have an ISMS – any company that processes or controls personal/sensitive data needs to implement a formalized ISMS. Moreover, it can be either a small startup or a large corporation, a non-profit organization or a private company – if there is any sensitive data processed, ISMS is needed.

It is important to understand what sensitive data is. In general, it is the data that should be protected from unauthorized access in order to safeguard an individual or an organization. The most common examples of sensitive data include a phone number, address, health information (electronic health records), credit card numbers, etc. Hence, if your organization works with any kind of such data, you need to implement an ISMS.

ISMS implementation: a checklist

Because an ISMS will be unique for every organization, there is no ultimate checklist to follow to perform its implementation. However, there are certain guidelines that can help you while planning the process.

The PDCA model of ISO 27001

ISO 27001 is an internationally recognized standard on information security that we will review in more detail below. But for now, let’s focus on the ISMS implementation model proposed by it.

The PDCA model stands for Plan – Do – Check – Act and describes the main action one has to take to implement an ISMS. Here is the explanation of each step:

• Plan: during this stage, you do all the planning. You identify risks, collect information that might be useful, and define the possible policies and procedures to use to combat these risks.
• Do: the implementation of these policies into your work process.
• Check: after implementing an ISMS, you will need to constantly monitor its effectiveness and see whether any changes are needed.
• Act: this is not a stage but rather a set of actions that you’ll need to take. They include work with documentation, knowledge sharing, feedback collection, and focus on further (and continuous!) improvements.

This was a very brief explanation of the PDCA model. Now we will have a more detailed look at every step that you’ll have to take for successful ISMS implementation.

Define the goal to achieve 

The first step of your planning process should be defining the actual goal that you hope to achieve with ISMS implementation. Whether it’s implementing security policies from scratch or enhancing the existing ones, you need to have a well-defined goal.

Outline resources that need to be involved

Next, you will need to outline all resources that you will need to successfully implement your ISMS. These resources might include people, tech equipment, and finances. For instance, you might need a more powerful and efficient data storage system or you might need to expand your team to properly manage the processes.

Outline everything that needs to be covered

In addition to outlining the needed resources, you will also need to outline:

• processes;
• departments;
• business units that need to be covered.

Note that not every business process/unit/location needs to be covered by an ISMS in order to maintain the security integrity of the organization. Only those that hold sensitive data have to be covered. As well, you will have to identify the ways in which the data can be accessed and include them too while leaving behind those areas of your organization that do not fall in the defined scope.

In addition to actual implementation, you will also need to educate your employees on new security policies and this is just one of the things that many company owners tend to overlook.

Prepare risk assessment/mitigation policies

The next step is identifying and analyzing the risks and preparing corresponding mitigation policies. Once you identified, analyzed, and evaluated possible risks, you can come up with a suitable risk treatment plan. This plan will involve security controls, needed to mitigate the risks, and ways how staff can learn about these controls and their use.

According to ISO 27001, there are four ways to treat a risk – you can choose one or a few of the following for your organization:

• Risk modification: an implemented control will reduce the chances of this risk happening.
• Risk avoidance: you can cease an activity that creates this risk. This method is recommended when the risk is too significant to be managed with a control.
• Risk sharing: in this way, you delegate risk management to a third party either by outsourcing security efforts or buying cyber insurance.
• Risk retainment: you accept the risk as its cost of treating is higher than its damage.

As for security controls, you can refer to ISO 27001. Its Annex A lists 114 controls, split into 14 sections where each section addresses a certain aspect of information security. 

Review and document business processes and procedures

Once you decide on the security controls and proceed with their implementation, you will need to constantly review them as well as document all procedures and business processes. This is needed to ensure that your controls are effective and that they handle the risks properly. Since information security management is an ongoing process, you will need to document all steps that you take to evaluate the efficiency of the taken measures. And don’t forget about internal audits of your ISMS that should be performed on a regular basis.

ISMS frameworks

Even though an ISMS will be unique for every company, there are available frameworks that provide checklists on proper ISMS implementation. The most common and internationally recognized is ISO 27001 though there are other options available as well.

ISO 27001

ISO 27001 is an international standard for information security, provided by the International Organization for Standardization. We’ve covered ISO standards in detail here so please check this article. As for ISO 27001, its main goal is to help organizations manage information securities by following a set of recommended procedures and policies. And as mentioned above, any company that works with sensitive data can become ISO-certified, not IT companies only.

The ISO 27001 certification serves as valid proof that the company takes all the necessary precautions and measures to safeguard the data and that it can be trusted by partners and clients.

Other ISMS frameworks

There are a few more reliable ISMS frameworks that are worth mentioning. The first is ITIL 4 which stands for Information Technology Infrastructure Library. ITIL 4 is a set of practices for IT activities but it has an ISM (information security management) component dedicated to securing your organization. In general, ITIL is aimed at helping a company manage its resources in the most efficient manner by providing necessary guidelines and requirements.

COBIT is another well-structured framework that helps companies better manage their processes and address risks in an efficient manner. There is not much to add here as both these frameworks (ITIL and COBIT) are quite similar to ISO in terms of their approach towards information security. The choice will depend on your personal preferences and business goals.

What’s next?

A big question that you might have after implementing an ISMS of choice is what’s next? The answer is continuous information security management since it’s a living process that requires constant monitoring and improvement.

Once you’ve implemented your ISMS, you will have to monitor it, perform regular audits, implement necessary updates, and expand the system as your business grows. As well, we highly recommend getting certified by ISO or other eligible organizations as it will significantly contribute to loyalty and trust from your partners and clients.