ISMS – Information Security Management System, what’s it mean to you?

Our people have consulted on ISMS development for some time. Recently we’ve had staff certified as PECB ISO\IEC 27001 lead implementers. For many, policy sounds pretty dry. Policy, Standards and Procedure is the stuff someone else usually does, or the stuff we’ve had for years that nobody looks at. You know, flick to the back page, sign and forget kinda thing.

What adds to the yawn factor about policy is that it is far from simple. It’s usually as complex as the business that created it, or worse, it was created by someone who was the last person in the room and just got tasked with it.

Tick the Box, we’re done

This results in “tick the box” thinking. Tick the box thinking is people just trawling through to get it done, with little regard for the quality of the outcome, or the value that the work provides to the business. It’s a bit like “busy work” we got given as kids in school where the outcome was to raise your hand and say gleefully “I’m done”. The result is the same, we all go home quite happy with ourselves that we got through the day and that now we get to go and play Atari.

We love complexity

What’s worse is that we don’t like simple in IT, we like complex. Take the 27001 certification process below. Now having done the training, I can tell you that it’s pretty good stuff, it’s complete and it’s useful. I can also tell you that if I hadn’t done the training that there were things in my previous understanding that were completely wrong.

What it isn’t, is simple.

Throw the last person standing at this and what you get, is a 300 page information security policy than nobody will ever read again, but we all get to go home and play Atari (More on this later)…

Powerful Tool vs. Tick the Box

Take this example, where in 2014, Brian, of Baton Rouge, Louisiana, USA had his employment terminated. Brian took offence to his termination and due to some process failures at his place of work he took it upon himself to use his still active VPN credentials to “tweak” the paper processing control systems and cause $US1M in damages. Brian was caught and is currently in prison. He also has to pay back all of the cash somehow. You can read more about this breach here

Of most interest here is that given the size of this business it is quite likely that they have a person in a security role, and also likely they had some sort of ISMS.

The example above illustrates a common problem we see, HR process not aligned to IT process and it is usually indicative of a wider problem:

  • We regularly see a missing link between the management of business risk and IT risk
  • Quite often they are one and the same, especially in businesses where dependence on technology is high
  • IT risk is usually delegated to the IT manager
  • The IT manager is rarely the data owner and should never be the risk owner
  • The actual risk owner is usually blissfully unaware
  • IT risk management is usually qualitative not quantitative, due to the absence of impact analysis
  • Results in “doing what we think is best”

But we have an Information Security Policy……

Many do, they are monolithic 300 page documents which nobody ever reads. So why do we have them? Well mostly it’s because someone thought it was a good idea, or there was a task assigned based on an audit, or the worst of all scenarios, where we just needed to tick the box, all done, and what’s next, you guessed it…

It’s all in the application

Like everything in IT, an effective security management program’s success measures are based on how you use them, not which framework you choose. So, while we like ISO27001 for many good reasons, if you don’t need to get certified, you can cherry pick the good stuff where it suits your business to great effect.

Here’s where we start.

Say what you do, do what you say.

I have to credit Paras Shah of Vital Interconnects for this one. It is elegantly simple, yet very powerful.

If you define a process, and don’t actually follow it regularly, or have any logs or other evidence that you are actually using it, then it is essentially worthless to your business. It is busy work which delivers no outcome other than box ticking

Cap your ISP size (The other ISP).

Some of the biggest organisations have an Information Security Policy (ISP) that is 3 pages. If you are more than 10-15, you are already in the ‘turn the page sign and forget’ realm.

Make Risk Management a Primary objective

Leverage ISO 31000 and 27005 where it makes sense to do so, align your IT Risk Management activities to your business Risk Management process, bridge the gap.

Start small, don’t eat the elephant

  • Define a Statement of Applicability (SOA)
  • Describe the context
  • Build a framework
  • Leave stubs for gaps


Collect what you already have

  • Existing IT processes
  • HR processes
  • Other holdings


Don’t forget the check and act phases!

The ISO/IEC 27001 standard defines four stages aligned to a plan, do, check, act (PDCA) approach, these are:

  • Plan ISMS
  • Implement and operate the ISMS
  • Measure effectiveness of the ISMS
  • Maintain and improve the ISMS

If you aren’t measuring the effectiveness of your ISMS, no matter how large or small, then you are creeping back into the danger zone of it becoming irrelevant and unused. It should work as an analogy to a living organism, constantly reviewed renewed and evolved.

If you have got this far and you’d like to talk more about this stuff, including how it can empower your business as an enabler, reach out to us at Iocane.