Most businesses will need to set up an ISMS sooner or later, whether it’s to meet regulatory or customer requirements, or to safeguard their own assets and business success. Leaning back and then idling is wrong. After the implementation of the ISMS, the real work in security begins for everyone in the company.
Photo: IrinaK – shutterstock.com
A procedure according to BSI basic protection or the ISO 27001 ff is useful when entering an ISMS. However, the nature of such standard procedures is that they can have the exact opposite effect on data security – even if implemented properly. Three observations that make you think:
With a structured ISMS, information security is given a home in the company concerned. When introducing an ISMS, the principle applies: all employees assume tasks and responsibilities in the field of information security. In addition, roles are mentioned such as CISO (Information Security Officer) and others who are responsible for organizing security.
This can be received in different ways: At best, employees are proud to work securely because the IT security department has everything under control. In the worst case scenario, the security colleagues are seen as inhibitors that hinder workflows and processes with their security requirements from the user’s point of view.
The first day of work usually means that all newcomers to the company read through a briefing on IT security and data protection. Then we dutifully confirmed with a check mark or multiple choice test that we had read, understood and internalized everything. Many can remember this process – also the content?
This fact is symptomatic of many processes in which security must be documented using checklists and documents. The content of the documents is correct and meaningful. They just don’t do anything on paper. It would be better to communicate and put into practice safety requirements with a specific reference to day-to-day work. Verifiability and certification is often the most important requirement when introducing an ISMS. Here applies: “Whoever writes, stays”, but paper is patient. Has safety been established because I checked off a checklist at the end of the work, even if I had previously worked without safety requirements?
Reading tip: IT Security – These employees are putting your security at risk
Hidden here is the key finding: security and auditability are two fundamentally different things. For greater safety, it is important that employees adapt their behavior in such a way that safe work processes and results are achieved. To create auditability, processes must be documented and made traceable.
This only works if processes are sufficiently abstracted so that they can be applied everywhere. Without abstraction, you get extensive process descriptions in which the specifications for the concrete everyday situation can no longer be found. So it is very important to understand this contradiction. Otherwise you run the risk of just creating auditability without security.
Not only within the IT department, but across the entire organization, companies and employees should therefore ask themselves the following questions:
-
Do I need an ISMS?
-
Does this make me feel more secure or is it more focused on policy and documentation compliance? Am I okay with this?
-
Do all employees in the company know what damage is caused as a result of a security incident in their environment?
-
How can everyone do their job in such a way that they make a positive contribution to safety?
If you ask yourself these questions, you are already on the right track to do more for your safety with an ISMS. (adv)