As the threat of a potentially devastating data breach continues to proliferate, and with the deadline of GDPR enforcement looming, companies are focusing more intently on how they secure their data. What should be at the heart of any serious effort is an Information Security Management System (ISMS) – a system of processes, documents, technology and people that helps to manage, monitor, audit and improve your organization’s information security. It helps you manage all your security practices in one place, consistently and cost-effectively. Get A Clear Picture Of It All – Access ISMS Infographic
An ISO 27001-compliant ISMS relies on regular risk assessments, so you will be able to identify and treat security threats according to your organization’s risk appetite and tolerance.
The current version of the ISO 27001 standard places emphasis on measuring the effectiveness of the ISMS, making it easier to operationalize and helping to build a better business case for management.
The five important ISMS processes that must be measured in order to maintain an effective ISMS are:
- IT and business alignment
- Are the information security strategy and IT services bringing value to the business?
- Is management committed to ensuring continuous input to information security strategies and IT services?
- Information security risk management process
- Are the IT processes addressing all relevant business risks?
- Does the business feel that their risk-input is being covered?
- Is the risk management process being carried out in a structured manner?
- Compliance processes
- Are we sufficiently compliant with our information security, privacy, governance and related obligations?
- Are the costs associated with achieving and maintaining compliance less than the business benefits (not just avoided penalties, but the brand value of being seen to do the right thing)?
- Are we successfully managing the risks of being caught out, for example due to non-compliance incidents, or negative compliance assessments, or failing to appreciate new or changing compliance obligations?
- Awareness process
- How do we make sure that the awareness efforts reach the relevant stakeholders/employees?
- Have they learned something?
- Audit processes
- As well as ensuring that the internal audit is performed in a structured manner, we also need to identify how the security posture is changing over time and our effectiveness rate in relation to mitigation efforts stemming from audit observations.
- Is spending used to address non-conformities reducing the amount of non-conformities and security incidents?
- It’s also important to review audit results over time to ensure that audit scope is directly correlated to actual risk posture and to ensure that high-risk areas are addressed and areas with few or no critical observations are scoped out.