5 Key steps for implementation of your ISMS

By Carlos Villamizar R – Colombia Operations director GlobalSUITE®

For implementation of an Information Security Management System, ISO 27001: 2013 standard establishes requirements that an organization must meet for definition, implementation, review and continuous improvement of information security. This seeks appropriately protect information against threats that may affect its Confidentiality, Integrity and / or Availability. In this context, information is understood as any organized set of data held by an entity that has value for it, regardless of how it is stored or transmitted (written, in pictures, orally, printed on paper, stored electronically , projected, sent by mail, fax or e-mail, transmitted in conversations, etc.), from its origin (from the organization itself or from external sources) or from the date of elaboration.

According to last available statistics from available inInternational Organization for Standardization (ISO)at the end of 2017, 39.501 companies worldwide had been certified in ISO27001:2013.

Top 10 countries with highest number of certified companies in ISO 27001 are led by Japan, followed by China and United Kingdom.

Source: Isotc.iso.org

Globally, Colombia ranked 35th place in 2017 (it fell from 29th position in 2016) with 148 certified companies, being the third LATAM country in general ranking (surpassed only by Mexico and Brazil). Following table lists Top 10 countries with certified companies in LATAM: The following table lists the Top 10 countries with LATAM-certified companies:

In accordance with experience gained in the last 12 years in hundreds of projects of definition and implementation of ISMS in Latin America and Spain (some of them with final objective of certification), we have identified 5 basic aspects for successful completion of these initiatives:

1. Commitment of senior management. For initiative deliver expected results, support and participation of the company’s Senior Management is required. Without their real formal support, it is almost impossible to successfully develop initiative and demonstrate achievement of compliance in the ISMS implementation. Those initiatives that come from operational and / or tactical sectors and do not have support of Senior Management are more likely to fail.

2. Each company is a different world. Every company is a particular world, whether they belong to the same economic sector or to the same business group. Each has its own particular control environment, a particular risk appetite, and different information security risks. What is good for one company may not be good for another. Copying as it is from one company to another is NOT appropriate. An understanding of the particular security and risk management requirements of each organization should then be considered.

3. Appropriate definition of the Scope. Is important to define theISMS scope. The effort to implement ISMS is not the same when defining in its scope ALL processes of the organization, in a scope that includes only 1 or 2 mission processes. In this sense it is better to start with few processes and gradually increase the scope of the SGSI as it becomes more mature in information security.

4. Controls are not everything It is a mistake to believe that the implementation of the security controls included in Annex A of standard is “the whole”, without considering key elements of an ISMS such as, for example, Information security objectives, Statement of applicability (SOA), security metrics and indicators to assess performance, documented information, internal audit procedures, non-conformities, corrective actions, etc., and of course raising awareness of company’s human resources through various means: posters, banners, screen protectors, videos, trivia, games, plays, etc.

5. Automate ISMS Traditionally these initiatives are executed with support of office automation tools. Undoubtedly, use of a sotfware GlobalSuite® Information Security has been a critical success factor in obtaining certification from our clients as it has reduced the duration of the consultancy by at least 25% (especially in the activities of inventory of assets, risk management and establishment of metrics and indicators), has allowed client to become directly involved in use of the tool, keeping all records and documents of ISMS in a single information repository and, above all, it has allowed to give self-sustainability to ISMS without direct dependence towards consulting team, since we have jointly built it. In this sense, GlobalSuite® covers the entire PHVA cycle of the ISO 27001 standard and allows the improvement and sustainability by the client of its ISMS.