In our increasingly regulated environment, an effective information security management framework hinges on both security and compliance. Most businesses align their strategy to a specific standard such as ISO 27001, the NIST Framework or ASD-ISM. While this is the first step to more effective protection, it’s also unfeasible for most businesses to establish a compliant framework alone.
For one, implementing an information security framework to fulfil the requirements of any standard typically requires impractical levels of effort and time. Moreover, gaining the highest standard of data protection usually involves certified resources that most businesses struggle to obtain. Ultimately, a clear, comprehensive and compliant framework comes down to qualified expertise.
Considering this, it’s no wonder why lost business accounts for the largest share of breach costs, with reputation damage, diminished goodwill and customer losses sitting at an average total of $1.59M.
Below are some of the most common best practices and standards we help clients establish and maintain their frameworks around.
The ISO/IEC 27001 series is a widely known family of standards that helps keep your organisational assets safe. More specifically, ISO/IEC 27001: 2013 “specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation.” One of the key focuses – and moreover, advantages – of this standard is its emphasis on integrating security management from the top down.
The NIST (National Institute of Standards and Technology) Framework is often seen as a common language providing SMEs with consistent, clear and concise resources for managing and reducing cyber risk. In short, it is based on five key functions:
As with other ISO 27000 standards, ISO 27001:2013 follows the Plan-Do-Check-Act (PDCA) model outlined below. In order to address any identified deficiencies and improve your organisation’s information security maturity, Content Security will consult the PDCA model during the development of your framework.
First, our team works to determine and evaluate the level of leadership support and commitment to information security within the organisation. From there, we’re better suited to formalising your information security risk management process, and ensure it is well-communicated and aligned with your unique business risk profile. Then, we evaluate whether information security controls are documented, evolved and are continuously monitored and improved upon. Finally, we ensure the security policies and standards are formalised, reflecting the environment, and communicated with the relevant employees.
This stage involves identifying business objectives, reviewing management support, selecting the proper implementation scope and defining the assessment methodology. All of this is in serve of delivering a successful, compliant result in accordance with your organisation’s overall information security goals.
The second phase involves developing and applying an in-depth risk treatment plan. Ultimately, this is focused on putting the necessary policies and procedures in place to manage risks. Moreover, this stage focuses on allocating training resources to fill any knowledge gaps for staff.
After the ‘implement and operate’ stage, we’re then able to monitor the information security management framework implementation and prepare for a final audit review. We measure the ISMS process performance, comparing it to your established policy and objectives and reporting the results to your management team for review.
Maintaining your framework requires proactivity. In short, it involves taking corrective and preventative actions to uphold and enhance your protection. These actions are often based on the results of an internal ISMS audit and management review. Ultimately, this phase will help you continually improve your organisation’s ISMS.