Information Security

Build Your Team

• Project Manager: Someone needs to be responsible for implementing your ISMS.
• Project Sponsor: This may be the same person as the Project Manager in a small organisation, but they need to have the authority to make things happen and to get board/executive buy-in.

 

Define Your ISMS

• Goal Definition: What are the objectives of the ISMS. Are you aiming for a specific certification (e.g. SOC2, HIPAA) or aligning with an industry framework (e.g. CIS, GDPR, Essential Eight). An objective is of no value if you cannot measure an outcome, so how do you measure these objectives to ensure you are moving toward the goal.
• Risk Appetite: How much uncertainty (risk) is your organisation prepared to take to meet your objectives. The appetite is influenced by the importance of those objectives while the legislative requirements of the Australian Privacy Principles (APP) will also impact your risk appetite. The risk appetite then becomes the measuring stick when performing the risk management functions – assessment and treatment – outlined below.
• Document Policies and Procedures: Create clear policies (high-level guidelines) and procedures (the how-to’s) to define expectations and how your ISMS will function.

 

Implementation

• Information Inventory: Identify where your sensitive information is stored, including physical and digital files, across all locations, departments, tools and systems, and devices. This allows you to define the scope of the ISMS, or the depth and breadth to which you need to evaluate your risk.
  
• Risk Assessment: Evaluate the risks associated with your products or services. Consider your tolerance for these risks (your risk appetite). The Risk Assessment shapes your selection of controls in the next stage.
• Risk Treatment Plan: This document is an extension of the assessment and outlines how you will treat each of your risks. Types of treatment are to mitigate (prevent), avoid (don’t do the risky action), transfer (use a third party) or accept (cost of treatment is greater than the possible damage). The treatment plan needs a detailed course of action and a responsible person for each risk.
• Select Controls: Security controls are the actionable tasks that need to happen. These can include monitoring the various pieces of software / technology, scanning for vulnerabilities on a regular basis and ensuring all aspects of your security framework are reviewed on a regular basis. You document all controls in a ‘Statement of Applicability’, indicating which are to be used and providing reasons why others are not to be used. 
• Operational Measures: Implement practices and measures to protect against cyberattack, breaches, disaster events. This includes endpoint security software, firewalls, vulnerability/patch management and staff cybersecurity training.
• Train Your Team: Everyone has to do their part. Whether it’s a clean desk policy, workstation screen locks or checking visitors in at the front desk, an ISMS will affect everyone … but it shouldn’t be complicated!
• Continuous Effort: Information Security is an ongoing initiative that must be led by a key program manager within your organisation. This is not a one-off, set and forget process.

 

Prove Compliance

• Monitor: Continuously monitor controls and log events and any required treatments.
• Review: Always be looking for ways to improve your ISMS. Review implementation of controls at an operational level. Perform management reviews of risk assessment and treatment plans. Provide your board and executive with regular feedback showing the changes that have occurred throughout the process.
• Perform Audits: Audits don’t have to be performed by an external party. You can validate compliance through your own routine audits.