What does your organization need to do to implement an effective ISMS?
An information security management system (ISMS) is not only a set of documented rules and instructions. It really is a systematic, continuous and long-term process to establish the optimal level of information security based on the unique threats and requirements of the organization. A fully functioning ISMS will be integrated within the key processes of the organization, such as the management processes, procurement, development, IT production and maintenance, HR and finance.
It requires the understanding, commitment and support of the Executive Board, cooperation between professional roles and functions, well defined responsibilities and clarity on reporting requirements.
At the core of information security, you need to identify and classify your information assets and execute a systematic risk assessment and risk ownership. This will guide your execution of the required risk management measures and responsibilities that will provide the protection levels needed for IT system, organization and physical security.
Examples of our work with customers
Veriscan has worked within information security since 1999 and have supported a large number of ISMS implementations in different kinds of organizations, such as central government, county councils and small and large private companies in various industries. There can be a large variety in scope in these projects, from the immature organization entering the domain of information security to an organization that is experienced with an ISMS in operation and with a goal of certification towards ISO/IEC 27001. Many organizations do have an ISMS in place but have a need to update and improve the level of the ISMS protection due to changes in the organization, supplier relationships and external factors. Sometimes we come across ISMS implementations not fit to the real need of the organization, or with vague objectives, with the consequence that it becomes a set of rules and instructions of no limited value to the organization. Here are a few examples of ongoing and finalized ISMS implementation projects;
- A small outsorcing vendor contacted Veriscan a few years ago and asked for support to build an improved set of rules and instructions for information security. We executed a Gap-analysis towards ISO/IEC 27001, a Veriscan Rating Basic, resulting in an action plan to close the gaps identified. Over time the Executive Management saw the marketing advantage in being certified towards ISO/IEC 27001 and decided upon an objective to certify the company. In close collaboration with Veriscan consultants the ISMS implementation was executet with the certification objective in focus. The certification was achieved in 2016. The company use the VeriscanRISK tool for its risk management. Veriscan continuous to support the organization regularely to keep the ISMS system effective and up to date.
- A large global ISO/IEC 27001 certified company asked Veriscan for assistance to improve the risk management processes a few years ago. The objective was to ensure consistency in how the business units around the world worked with risk assessment and risk management, and to clarify the reporting format and process towards the Global HQ. This was a step in the long term and continuous work to consolidate a number of local certifications towards ISO/IEC 27001 into one global certification and we are proud to have been part of this achievement. Veriscan is still active in supporting this company in developing methods, tools and processes as part of the continuous improvement of their ISMS.
- A Central Government is actively working to improve their ISMS since a few years back. The objective is not certification but to meet the requirements from MSB to have an ISMS aligned to ISO/IEC 27001:2013. Senior consultants from Veriscan within organizational security and IT security have supported this client in their work over several years. An ISMS is implemented and Veriscan assists in information classification and risk analysis/assessments. The VeriscanRISK tool is used by this client within risk assessment and management.
These are just a few examples of the clients we have worked with and continuous to support regularly with ISMS improvement work. In most cases Veriscan becomes a long-term information security partner, as an advisor or for specific tasks such as internal audits, preparation for certification, develop information security guidelines and education or to execute measurements of the performance of the clients ISMS (Veriscan Rating).
How can Veriscan support you?
Based on ISO/IEC 27001 and other relevant ISO-standards, your unique situation and your internal and external requirements, we can support you in developing rules, instructions and processes covering roles, responsibilities, information classification and relevant security protection levels. We can provide you with project management for ISMS implementation or provide assistance your assigned project manager with competence and experience to handle the questions and challenges surfacing during the project.
Using our Veriscan tools for information classification and risk management, Veriscan vIC and VeriscanRISK, we support you in assessment, risk measure decisions and the development of methods as well as in executing workshops and education within your organization. We can also support you in developing processes and requirements on risk protection levels for information towards your information asset owners. If you already have your own tools implemented, we will of course work with them. Throughout the projects you will often find use for different methods and tools to secure the success of the project. A few examples on this;
- Execution of a Gap-analysis towards ISO/IEC 27001 incl. Appendix A, using the method Veriscan Rating Basic, resulting in an action plan
- A workshop based on risk scenarios to build an understanding and support from the Executive Management on why the organization needs to develop their information security capability
- Develop education packages to different user groups and the execution of education sessions for employees, information owners, system owners, IT, and Management.
- Develop and execute a test-run of the Management review to establish the process and format for future reviews.
Our ambition is to support your organization to become self-sufficient and build your competence in developing and implementing an ISMS that is adapted to your organization.
For more information please contact Veriscan.