What is an ISMS and 9 reasons why you should implement one

At IT Governance we often talk about the benefits of ISO 27001 certification but we don’t always expand on the more immediate benefits associated with implementing an information security management system (ISMS).

Below are nine concise points that explain what an ISMS is and nine reasons why you should implement one.

What is an ISMS?

  1. A centrally managed framework for keeping an organisation’s information safe.
  2. A set of policies, procedures, technical and physical controls to protect the confidentiality, availability and integrity of information.
  3. Either applied to the entire organisation or only a specific area where the information it seeks to protect is segmented (the scope).
  4. Includes not only technical controls but also controls to treat additional, more common risks related to people, resources, assets and processes.
  5. Based on a risk assessment across the organisation that considers internal and external risks. This means all risks are assessed, analysed and evaluated against a set of predetermined criteria before risk treatments (controls) are applied. Controls are applied based on the likelihood and potential impact of the risks.
  6. A framework that helps you make appropriate decisions about the risks that are specific to your business environment.
  7. Dependent on support and involvement from the entire business – not just the IT department – from the cleaner right up to the CEO.
  8. Not an IT function but a business management process.
  9. An ISMS can be certified to the international best-practice information security standard ISO 27001. Achieving accredited certification to the Standard demonstrates to your clients, customers, regulators and stakeholders that your organisation is following information security best practice and your data is sufficiently protected.

Why implement an ISMS?

  1. It helps manage information in all its forms, including digital, paper-based, intellectual property, company secrets, data on devices and in the Cloud, hard copies and personal information.
  2. It helps the company defend itself from technology-based risks and other, more common threats such as poorly informed staff or ineffective procedures.
  3. It reduces costs spent on indiscriminately adding layers of additional technology that might not work, due to the risk assessment and analysis approach.
  4. It constantly adapts to changes both in the environment and inside the organisation to reduce the threat of continually evolving risks.
  5. It makes sure that information security is entrenched in the business, improving the organisational culture and making processes efficient.
  6. It focuses on the integrity and availability of data as well as confidentiality. If the data is available but in a format that is not usable because of a system disruption, then the integrity of that data has been compromised; if the data is protected but inaccessible to those who need to use it as part of their job, then the availability of that data has been compromised.
  7. It protects the availability of information and critical business processes from the effects of major disasters to ensure their timely resumption.
  8. It enables businesses to be significantly more resilient to cyber attacks.
  9. Continual improvement, monitoring, internal audits and corrective actions make sure that the controls remain up to date and work properly.

To find out how to get started with implementing an ISMS aligned to ISO 27001, download our free guide: ISO 27001: The Facts >>>, and read more about implementing ISO 27001 >>>.

Find out how you can get started with an ISO 27001 career by attending an ISO 27001 training course.