First, what is an ISMS?
An information security management system (ISMS) is a systematic approach to managing confidential or sensitive company information so that it remains secure (which means available, confidential and uncorrupted). It encompasses people, processes and IT systems.
Is there a standard approach?
The approach recommended by the British Standards Institution (BSI) and other certification bodies is to align your ISMS to ISO 27001, the internationally recognised cyber security standard.
What is absolutely essential is to use suitably competent and trained personnel to implement and manage your ISMS – either consultants or internal staff with appropriate levels of training.
What steps should you take?
- Read up on best-practice guidance. (Take a look at Nine Steps to Success – An ISO 27001 Implementation Overview)
- Get board commitment. (Read how in Selling Information Security to the Board – A Primer)
- Assemble your team, and identify your objectives and the scope of the ISMS. (Train your team with industry-recognised training)
- Identify the controls required for your contractual, business and regulatory purposes.
- Conduct a risk assessment to identify any additional controls necessary. (Make things easier with vsRisk Standalone – Basic)
- Generate a Statement of Applicability and risk treatment plan.
- Draft policies and procedures as required by the selected controls. (Save time with pre-written documentation found in ISO 27001 ISMS Documentation Toolkit)
- Train and educate staff. (Use Information Security Staff Awareness E-Learning Courses)
- Implement the ISMS.
- Monitor, review, check and audit – ensuring the ISMS works as planned.
How long will it take?
For a mid-sized organisation, using the tried and tested approach outlined above, certification could be achieved in 4 to 8 months. But this depends on many factors, including:
- the size and complexity of the organisation;
- the level of management commitment to the project;
- the organisation’s underlying preparedness;
- the organisation’s current security posture;
- the level of expertise deployed in the project;
- the organisation’s existing quality management culture.
Challenges you may face
One of the biggest challenges companies face when they implement an ISMS is performing the risk assessment and creating the documentation.
Creating the documentation alone can take anyone in the region of 12 months to research, create and write every policy and procedures.
To speed up the process, take a look at the No 3 Comprehensive ISO 27001 ISMS Documentation Toolkit, which includes:
- Official ISO 27000 standards
- Industry-leading implementation guidance
- Pre-written documentation
- Expert risk assessment software