Last Updated on January 31, 2025
For organizations moving to reduce information security risk, an effective information security management committee (ISMC) is essential to drive security strategy, eliminate redundant security effort and spending, get a grip on complex infrastructure issues, and create a stronger security culture.
This post shares five tips to help make your ISMC more successful.
Tip 1: Make your ISMC as big as it needs to be.
Information Security Management Committees (ISMCs) vary in size and makeup across organizations. Your ISMC may be as big as twelve people or as small as two.
As a best practice, you should bring not just IT people but also finance/accounting, HR, operations, and possibly legal, internal audit and other disciplines to the table. The more diverse your stakeholder representation, the better feedback and input you’ll get, and the easier it will be to integrate information security into lines of business.
Some businesses want to keep their ISMC confined to IT. You may hear things like “We don’t want to bother the business teams… They don’t have the bandwidth…” But most of the time it’s really about IT angling to control the scope and strategy of the evolving information security program.
It’s okay to start with an all-IT core committee for something like defining the initial scope of an ISO 27001 certification effort. But that should be temporary. To holistically address risk, your information security program can’t live within just one area of the company.
For example, most likely your marketing team is dealing with data privacy challenges around GDPR or CCPA that you can help to address through the ISMC. Bringing in the VP/Director of Marketing as a stakeholder in the ISMC is often mutually beneficial.
Tip 2: Meet at least quarterly.
To review and address the various aspects of your information security program, the ISMC should meet at least quarterly. For example, risk assessments and risk treatment plans require quarterly review to maintain an ISO 27001 certification.
Another reason to meet quarterly is the ISMC provides key input to your C-suite and board, who will be looking to ensure the vision and objectives of your program are on track and aligned with business goals.
You’ll also need to review various metrics on a quarterly basis. Others can be reviewed semiannually or annually. Information security policy and procedure review can usually be done annually, ideally at the same time each year, for instance.
Tip 3: Spread responsibilities around the committee.
For resiliency if not sanity, it makes sense to distribute core responsibilities across your ISMC. That way if a key committee member leaves the organization, all the knowledge regarding your information security management system (ISMS) or program doesn’t leave with them.
Whatever the size of your committee, you always want to establish a chair or lead. Often this is the CIO, CISO, or IT director. This person shouldn’t be responsible for completing every task. But they should at least be accountable to facilitate the meeting and to present key findings to senior management.
Tip 4: Make sure ISMC members are engaged.
How do you know if your ISMC members are engaged? Here are some ways:
- They’re looking to make positive changes.
- They’re relaying useful input from their area of the business.
- They’re identifying context/scope issues related to your information security program.
Members that are less motivated may just be “phoning it in” and may see the ISMC as merely a check box for regulatory compliance or a certification. Don’t let this view predominate on your committee.
Tip 5: Communication is number one.
The number one ISMC success factor is communication. You must ensure that what you agree is critical to accomplish for your information security program is understood and is being accomplished. That is, you are setting goals and hitting them.
Having a strategy for communicating with the rest of the company will help drive buy-in on initiatives and supports a security culture. One best-practice communication strategy is a quarterly newsletter. This helps keep security top-of-mind and helps reduce risk by keeping employees aware of new threats, such as the latest phishing attacks.
What’s next?
An effective ISMC doesn’t make an organization secure all by itself. But it gives you an important tool to help you improve security and reduce risk.
Is your business ready to take its information security posture to the next level, and/or to pursue alignment with ISO 27001 or a similar framework current? To talk over your goals and strategize next steps, contact Pivot Point Security.
