The anatomy of effective information security management

With the ever-increasing risks faced by every UK organisation from cyber crime, there is significantly increased pressure on every information security manager to deliver effective security. This manager and their team are expected to plan, implement and monitor suitable measures to protect confidential assets and to mitigate losses in the event of a security breach. They have to do all of this while absolutely ensuring that all members of staff have access to the data and applications they need to perform their daily duties.

From protecting the perimeter to ‘attack from anywhere’

Until about fifteen years ago, it was very likely that an information security manager would have a career based on their technical background, which was usually in network operations, applications or user support. This was related to the dominance of traditional client-server (in-house) architecture and hacking attacks based on the ‘outside (perimeter) to inside’ strategy. This all changed with the widespread adoption of web-based distributed systems that support multiple access points and remote working. Many in the industry now refer to this as the need to protect an organisation from an ‘attack from anywhere’.

Get started on the basics

When contacted by aspiring information security managers about developing their job prospects, we always recommend that they consider studying for the BCS Foundation Certificate in Information Security Management Principles (CISMP). This qualification is recognised across the UK as an essential first rung on the ladder to a successful career. It is also approved by the UK government and the MOD in the CESG Certified Professional training scheme.

The BCS syllabus for Foundation Certificate in Information Security Management Principles (CISMP) defines the minimum requirements for effective management in the following learning objectives:

  • Knowledge of the concepts relating to information security management (confidentiality, integrity, availability, vulnerability, threats, risks, countermeasures).
  • Understanding of current national legislation and regulations which impact upon information security management.
  • Awareness of current national and international standards, frameworks and organisations which facilitate the management of information security.
  • Understanding of the current business and common technical environments in which information security management has to operate.
  • Knowledge of the categorisation, operation and effectiveness of controls of different types and characteristics.

Advice for the more experienced

As a company dedicated to delivering ISO 27001 consultancy and training, we like that BCS has included the objective of “Awareness of current national and international standards, frameworks and organisations”.

ISO/IEC 27001:2013 specifies the requirements for an information security management system (ISMS), and is globally acknowledged as providing a flexible and sophisticated blueprint suitable for organisations of any size and working in any industry sector. The Standard provides a guide for both the beginner and the experienced manager who wants to develop and improve their existing security plan (and possibly their career).

Build your knowledge and skills in information security management

To get started, we recommend that you attend our five day CISMP classroom training course. We have a 96% pass rate on this course, which is next running in London on 17-21 July. For an education in ISO 27001, the ISO27001 Certified ISMS Foundation and Lead Implementer courses provide an ideal learning pathway.

For more information on information security qualifications, please see our training course portfolio or contact me direct on rfreeman@itgovernance.co.uk