For anyone starting a journey to getting the ISO27001 certification for their business, the amount of learning required can seem pretty daunting.
One of the most frequently misunderstood parts of ISO27001 is the requirement for an Information Security Management System (an ISMS).
The use of the word "system" here leads many to believe that an ISMS is a technology solution - and that has led to a whole industry providing cloud based solutions (ironically, many of which are not themselves ISO27001 certified).
What is a system?
We need to start by recognising that a "system" is simply a defined way of doing something. You have systems everywhere, work with them every day. Think about how you make a cup of coffee (or tea!). Depending on your method, loosely speaking you:
- Fill the kettle
- Boil the kettle
- Scope in the coffee
- Pour on the water
- Add the milk
Now imagine we tightened up this "system" to guarantee the same results like this:
- Fill the kettle with 200ml water at 5oC
- Boil the kettle
- Scope in 10g of [preferred brand] of coffee
- Wait until the water temperature has dropped to 85oC
- Pour on 180ml water
- Add 20ml milk at 4oC
What's the point?
ISO27001 is all about reducing risk where we can, and managing residual risk. One way to manage residual risk is to make sure, where possible, we can guarantee an outcome.
In systemising, we improve the chances that we will get consistent results each time we do something.
Therefore an ISMS is...?
An Information Security Management System is therefore a defined way of managing information security within your business - that's it.
It doesn't have to be a technology system - although that might be helpful.
You essentially need to develop a way (system) for keeping track of what you do to manage risk. This will include things like:
- What you have
- What needs to be done
- When it needs to be done
- Who is going to do it
- How it's going to be done
- When it was done
- Any discoveries when doing it
- When it's going to be reviewed
...and a bunch of other stuff.
Don't leave me hanging
We'd love to tell you exactly what should go into your ISMS - but honestly, it will be different in every setting, because it's about how you, your business, will manage risk.
We would, of course, be very happy to help you with your ISO27001 project - why not give us a call on: 01530 637 833
Thanks for reading - if you found this helpful, please consider sharing it!
If you'd like help with your ISO27001 project please
give us a call on: 01530 637 833
We look forward to speaking with you soon!