This page contains a Flash digital edition of a book.
How do information security management systems actually work? In the RSM research 87% of the respondents reported that using ISO/IEC 27001 and its partner standard ISO/IEC 27002 (the code of practice supporting ISO/IEC 27001) had a positive or very positive impact on their organisation. Some of the key results they had achieved included; an increase in the quality control of information security processes and procedures, a reduction in risk and an increase in both internal and external customer satisfaction. Respondents whose organisation


had certified to ISO/IEC 27001 were generally twice as likely to report benefits as those who had not. External customer satisfaction, competitive advantage and increased ability to respond to tenders were flagged as key additional benefits of


organisation to the next, but where choice was possible (sufficiently sized organisation), a manager within the IT department was favoured.


How can using these best practice standards help organisations save money? One of the early steps in implementing the ISMS is to conduct a risk assessment (RA). The RA allows an organisation to identify where it feels its biggest risks are and for senior management to agree a particular appetite for risk when managing the outputs of the RA. An organisation can choose to simply accept a risk; mitigate a risk; neutralise or transfer a risk. How the risk is managed should always take in to account the impact and the likelihood of something occurring. Of course there will always be a financial threshold.


ISMS, in the RSM research 60% of respondents reported that awareness of information security in their organisation was now high or very high. This figure rose to 75% within certified organisations.


“Threats are categorised as technological or human and can be internal or external” Summary


In summary when you consider the research and the expert views, the biggest area of information security weakness in any organisation is its employees and most importantly their attitude and awareness. Taking simple steps to raise awareness and drive a culture of information security throughout the organisation does reduce the number of incidents. Conducting a thorough risk assessment permits the careful targeting of spend in the most appropriate direction, rather than responding to gut instinct or pet passions of management. Implementing an ISMS such as that described in the international standard ISO/IEC 27001 does provide a framework for success.


certification. What was most noticeable was the hugely increased ability in certified organisations to measure and monitor activities and impacts (e.g. number of security incidents). Very few certified organisations gave ‘unknown’ responses. This compares to those who had barely commenced implementation where the majority would give ‘unknown’ responses. In the majority of cases where organisations had used a top down approach to implementation; respondents reported that success was highly dependent on active, visible senior management buy-in. The choice of individual to actually do the implementation varied from one


What about those all important human factors?


Embedding information security as part of business as usual and conducting training and awareness amongst staff at all levels are both key to success. Leading by example is important as is maintaining the momentum after the initial rush. The basics are often the most effective: tidy desk policy, effective password use (including minimising the number of passwords staff are required to remember), entry security and a requirement to display identification at all times. Internal games and competitions can be used to enthuse and engage staff. Demonstrating the success of the


If you wish to see a full summary of the RSM report referred to in this article please email Lorraine.King@BSIGroup.com *CMI - http://tinyurl.com/6l5cwu5 **ISO - http://tinyurl.com/4qzmfk


Impact • September/October 2011 | 13


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36