Lately several clients have asked my opinion of how well their information security management system (ISMS) stacks up against industry peers.
That’s an important consideration, because the more you know about the state of your security controls the better you can address industry-specific compliance mandates, make ongoing security investments, position your business competitively, and so on. The ISO 27001 standard itself has put greater emphasis on measuring and evaluating the effectiveness of your ISMS in Clause 9. Indeed, the ability to benchmark your ISMS against an international standard is one of the many advantages of ISO 27001 certification.
But it’s also hard to make “apples to apples” comparisons across different ISMSs, because each organization has its own mix of preventive focus, compliance/governance demands, and risk perception/tolerance. This is why ISO 27001 states that organizations need to measure their processes and controls… but it doesn’t specify exactly what to measure. Each business is meant to define its own critical success factors or measurement goals as part of aligning its ISMS with the business strategy.
That said, there are a couple of “foundational” areas that determine whether an ISMS has a shot at being robust. If you can’t answer an unqualified “Yes” to these three questions, your ISMS is unlikely to be a front-runner:
One: Is upper management involved in current ISMS efforts?
Without the positive influence and support of senior management, it’s extremely difficult to develop a security culture. Thus the ISMS is likely to be an afterthought, exist mostly on paper, or not map well to risks or business goals.
This is why ISO 27001 states specifically that “top management shall demonstrate leadership and commitment with respect the information security management system…”
Two: Do you have security controls, procedures and recovery plans in place for all your critical business functions?
If controls and procedures aren’t tied to business operations, there’s little hope that security will protect the systems that really matter. This can lead to information security investments that don’t directly mitigate critical risks. It can also lead to vulnerabilities that aren’t recognized or are ignored until an incident occurs.
Three: Does your company have a framework to control implementation and operation of information security?
In other words, do you have a system of continuous improvement in place for your ISMS that is driven by policy, standardized procedures and the needs of the business? ISO 27001 is an example of an information security framework, as are COBIT 5 and the NIST Cybersecurity Framework.
Even with genuine executive support, robust controls and appropriate policies, it is challenging for many organizations to find the expertise and focus in-house to achieve information security excellence. A trusted partner can help you strategize around what standard(s) to align with, what controls to implement, how to manage those controls, and how to measure success going forward.
Contact Pivot Point Security to talk over anything from gap assessment to ISMS scope to ISO 27001 compliance.
For more information on self-assessment of your ISMS:
- The Information Security Management Benchmark (ISM-Benchmark), a web-based self-assessment tool to gauge the maturity and effectiveness of your company’s ISMS
- More on the ISM-Benchmark
- The Center for Internet Security (CIS) Benchmark to Support an Information Security Management System—guidance for teams looking to develop Info Sec standards
- Guidance on benchmarking your ISMS against the ISO 27002 code of practice