By Published on

No security without a system (why ISMS)

Many organizations tend to consider cybersecurity something which is basically a written (and mostlystatic) set of policiesstandards and guidelines. What else can it be?

Sure, you already know there is much more that's going on, but could you explain to your management what it is?

Managing cybersecurity has never been more complex then today, with bordeless, multidevice cloud-syncing, always-on computing and AI. And any complex undertaking like this requires a system approach and consequently some form of a systems management.

Information Security Management System (ISMS) (or Cyber Security Management System, if you wish) is an example of this approach to security.

And while sets of policies and risk assessment methods should be part of any cybersecurity management practice, it cannot replace a well run ISMS.

And by ISMS we don't really consider a spreadsheet file stored somewhere on the security manager's computer. We mean a real "information system".

In the best possible scenario it should be a live, multi-user service containing not only security documents (exported to intranets for public read) and risks (in a risk register) but also all the relevant security controls implemented to manage those risks.

The ISMS approach provides more realpractical security than any risk assessment or any set of documents regardless of how beautifully they are written.

Explanation for the management

  • a living ISMS is a dynamicreal-time reflection of your organization’s security posture over a period of time,
    • because security is a process, a never-ending project where we need to know we stand and why,
  • ISMS is there not to impress auditors or regulators but to give us direction which it will, assuming we use it daily like our knowledge base,
    • remember, ISMS is a good idea even if we do not plan to be certified (e.g. ISO 27001),
    • the goal of a management system (like ISO 27001, NIST CSF) is not a perfect security record (which is impossible anyway) - but to "have a transparent system for managing security" - this is what is confirmed by auditors (not "you are safe now"),
  • ISMS allows to unify top-down and bottom-up views of security:
    • top-down - management sees metrics and performance,
    • bottom-up - control owners who can actually "make it happen" always know what is expected of them,
  • ISMS provides tools for measuring performance (KPI), setting priorities and comparing the existence (effective) against the effectiveness (efficient) of the measures taken,
  • ISMS produces outputs for investment/budget decisions (into people, processes, technologies),
  • ISMS immensely simplifies independent, internal/external audit.