Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
An Information Security Management System (ISMS) delivers a systematic approach to ensure information security and meaningful data protection across existing and new assets.
This post looks at the 3 phases involved and will help you explain the benefits of an ISMS to those outside the direct security team.
Whether in compliance with ISO27001, or as a general approach to information security, a defined ISMS helps the organisation to better understand its information assets, security vulnerabilities and the evolving risk profile. The concept of management systems is not unique to security. Areas like quality and service management often follow similar approaches.
Without an ISMS, the chances of detecting and recovering from breaches and meeting any third party scrutiny of your security efforts are slim. You may have controls and systems in place, but in the absence of a management system it is difficult to establish or prove their effectiveness.
The ability to detect cyber security attacks and insider threats is becoming more important here in the UK and around the world as services are increasingly outsourced and regulatory pressures grow. Your organisation also can’t ignore expectations regarding the secure collection and use of information, particularly as EU GDPR takes hold. These GDPR posts will help:
Digital services and outsourcing drive the growing digital economy, technology adoption and are fuelling the rise of technologies such as artificial intelligence, the Internet of Things, Cloud computing and big data.
Outsourcing IT service delivery makes sense for any organisation looking to focus on its core business, improve customer services, achieve commercial advantage, or to ensure that vital public or business service functions are delivered despite budgetary pressures.
Productivity improvements such as remote working and the potential savings are welcome however, the associated increase in data, processing events and a potential lack of security visibility, all lead to familiar information security challenges at new scales.
Where digital services adoption is promoted by those with productivity as their primary objective further complexity can arise. This risks information security being left as a secondary consideration and sometimes a barrier to either scrape over or even avoid. It is a perennial challenge.
Where an ISMS is not applied the chances are that information vulnerabilities will be introduced with new services that cannot be detected or monitored. Point solutions and inconsistent risk decisions mean that security is ineffective, inefficient and inconsistent.
However, where a sound ISMS is established and maintained, it is more likely that new services can be rapidly and securely absorbed alongside existing assets, as well as being operationally successful. Common approaches to risks and controls and the integration of new systems into a wider management framework lead to reduced cost and more conformant service delivery.
As an example, the importance and benefits of vulnerability monitoring are covered in our infographic. Download it and see if you can use the content in your projects:
The ISMS design phase requires the setting of meaningful objectives, identification of assets and solutions to risk. Inaccuracy or cutting corners at this stage will jeopardise any subsequent activity.
For an ISMS design, the Plan Do Check Act (PCDA) cycle is a common method for continual improvement and business process management that you are most likely to see. PDCA is not exclusively an information security or data protection model. It is just as relevant to product development, project management and “box making” as it is to cyber security.
The elements of PDCA are:
It may sound obvious, but ISMS objectives must include mitigating the risks associated with the collection, retention, access and use of information held within both physical and logical assets. In the initial ISMS enthusiasm, it is easy for ISMS objectives to become confused with wider IT procurement strategies rather than focussing on risk control.
This danger is increased where stakeholders from the wider business (e.g. Information Asset Owners) are engaged in the design phase. It is correct to engage other stakeholders but “mission creep” can add a level of complexity that risks ISMS failure (and hence information or data breaches) further down the line.
For most organisations their ISMS objectives are likely to be focused on meeting regulatory requirements such as:
Information asset identification is about understanding what information is held, where it is and the risks associated with it. Clear indications of information asset purpose(s), operational interest and business ownership should be recorded.
Those assets that directly support operational business should be prioritised over the wealth of other information assets that are likely to exist. Prioritisation that supports business helps others to “buy in” to the ISMS process.
To avoid stakeholders defaulting to just “applications and databases” as assets, consider who within the organisation would be disadvantaged should information (or just the access to it) be lost. Then consider how the same information asset is accessed, used and exchanged.
An information asset register is the easiest way to record your assets. Asset registers can be something of an art and this link is a simple example from the UK Home Office.
Whilst clearly not as exhaustive or detailed as a true asset register (many things are missing including the actual calculation of information risk), this example gives a clear indication of asset ownership, description and purpose.
The objective is to consider the prioritised information assets and any threats that are posed to them. Another objective is to consider control measures to limit the chance of those threats developing into real security incidents and compromise.
Control measure considerations should include all the possibilities of people, process and technology, not forgetting that a simple physical security measure might also reduce risk. ISO27001:2013 specifies 114 controls in 14 groups covering policy, access control and even supplier relationships.
Simple and meaningful risk assessment is key. Care should be taken that the risk assessment methodology and measurement (usually a calculated score or scale) are agreed in advance and applied consistently.
This can be surprisingly challenging to achieve and should not be underestimated. Defining some agreed levels of business impact or financial cost, as well as understanding the regulatory challenges is one side of this – then being able to rate risks in terms of their likelihood is a second dimension.
Another danger is trying to factor “black swans” into risk assessment discussions, becoming overly concerned with threats that are undoubtedly high impact but ultimately unrealistic or highly unlikely.
Examples of “risk assessment over-thinking” include the inevitable consideration of doomsday scenarios such as a terrorist attack on a data centre. What about the potentially more likely but equally damaging scenarios of electrical fire, power failure, or pipes bursting and flooding the building?
In all these cases, it is the “unavailability of the data centre” that needs focus as the consequence to be avoided, rather than the multitude of possible scenarios that might lead to the event in the first place.
Similarly, attackers that are operated or supported by foreign governments are usually considered highly capable and well financed adversaries. They are a cause for concern for those working on the ISMS, particularly in the public, finance and CNI sectors.
Any risk assessment discussion or briefing must be tempered with realistic assessment of likelihood. What does the organisation do or possess that would legitimately interest a foreign government? For an intelligence agency, this may very well be the greatest threat. However, a local authority, school or hospital might be at more risk of attack from insiders, organised crime, opportunist thefts or ransomware, so this is where the security efforts should be focused to resolve relevant vulnerabilities.
For those with more extensive information assets, significant risk exposure, or seeking formal compliance with ISO27001, the treatment plan should also include the controls and measures that were considered but not applied. This link takes you to the website of the International Organisation for Standardization who own and manage ISO27001.
This best practice approach helps with ISMS transparency and future proofing when key ISMS personnel move on or audit is required. Controls that were not applied should be included within the “Statement of Applicability” (SoA). The SoA will prove useful when it comes to briefing management as to how the ISMS has been constructed and why controls have been considered but discounted.
This is where the work really begins, the implementation of any process, procedural, physical and technology controls that are required to mitigate identified risks. Not every control needs to be technical or expensive, far from it. Do not fall into the trap of thinking that “more money for security equals more security”.
For any control – technology, people or process – work out how to measure effectiveness, tie together the relevant stakeholders and relevant communications. For personnel based controls, this might include the training department, HR, vetting office, supervisors etc.
If the relevant stakeholders are insufficiently aware of what successful operation should look like or are not bought into the wider ISMS concept, they may be reluctant to participate. This may leave you in the slightly uncomfortable position of having to call on senior influence to effect change and provide direction.
ISMS implementation must be accompanied by general awareness, briefings and sometimes even training. Avoid bombarding users with considerations of ISO27001 or the detail of the organisation’s approach to security, but they do need an appreciation as to the importance of information security and data protection. Personnel should at least be able to recognise and report an information security incident and feel enabled as part of the solution, not the problem.
This “buy in” and understanding is particularly important where vulnerability control requires the removal of permissions from those personnel who no longer (or never did) need them. Managing user privileges is a common and cost effective control to reduce risk but it might meet operational resistance.
It’s often necessary to consider and balance the risk of leaving personnel with permissions that they do not need, versus the practicality and efficiency of granting permissions when they do. Ultimately risk owners need to be empowered to decide even where responsibilities are delegated.
In the PDCA cycle this is where the focus moves to “check” and “act”. To maintain the ISMS effectiveness requires security controls that have measurable outputs. Implementation of controls with no output as a “just in case” approach to information security are often wasteful and expensive.
Taking the information assets, as well as the way that they are hosted (e.g. networks) and accessed (e.g. applications, file shares, databases etc.), ISMS stakeholders should reasonably expect to be able to identify:
ISMS maintenance requires being able to audit activity as a minimum. Better still, being able to monitor assets, access and activities as they occur offers real opportunity to ensure that systems, services, users and data are operating as you expect and as required, and are promptly fixed when they do not.
The likelihood is that the ISMS will have some flaws, certainly initially, and that controls won’t work perfectly when they are first set up. Common constraints include underestimating the implementation time required, flawed assumptions regarding the strength or effectiveness of technical controls, or resistance from users or managers to adoption or embedding.
However, once a workable and implemented set of controls has been achieved, monitoring, measurability and visibility are critical as they provide the necessary evidence to inform change, as well as all-important reporting to stakeholders.
Having the information available to correct faults at the earliest opportunity and limit opportunities for loss are essential and will help compliance with regulations and standards such as EU GDPR and ISO27001.
Visibility, monitoring and measurement of implemented controls identifies ISMS non-conformities. Check out our infographic and make use of the content in your work:
Nonconformities (areas where the ISMS falls short or audit findings) can be categorised as either “major” or “minor”. More generally this means that an ISMS control measure is not performing as required or meeting desired standards. These standards can be ones you have set yourself, have been set by a regulatory body or by a third party (e.g. a data processor from another organisation).
The severity of nonconformity depends on the wider risk profile and appetite of the organisation and risk owner and often the presence of compensating controls. For example, an Information Asset Owner and risk owner may tolerate a few users of a database who have not been formally trained as long as they are known, are planned to be trained and can be monitored, and there are controls on paper outputs and access etc. This is potentially a minor nonconformity with a short-term risk that can be accepted due to an imminent fix.
Should it be discovered that the same database is routinely accessed by many users who are not trained and that access rights are fairly open; with no auditing or monitoring being performed, then depending on the sensitivity of the information assets, this is likely to be a major nonconformity that requires addressing. How would the asset and risk owner know if information was being lost and what other ways is misuse being prevented?
This post hardly scratches the surface of the phases required for a successful ISMS implementation. Undertaking an ISMS build for the sake of it, or as an attempt to pass a third party check from a partner organisation, accreditor or auditor will often be fairly transparent.
An effective ISMS requires the investment of time and resources who understand and care about information and its relevance to operational business.
Control measures do not necessarily have to cost money. The review and amendment of existing technical controls or improvement of a business process might be enough to achieve the risk reduction required.
To assist in planning your ISMS, follow these top tips:
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.