According to the observations of mikado ag, recently there has been increased investment in the development of ISO/IEC 27001-compliant Information Security Management Systems (ISMS). As companies and government agencies often break new ground in a project, the IT security analyst for the consulting firm, Robert Hellwig, has put together a few tried and tested recommendations. They are also aimed at a lean implementation:

1.    Win an advocate at the Executive Board level: A management system for information security can only bear fruit if it experiences an effective support at all levels of the company. For this reason, a shoulder-to-shoulder alliance with the management should be set up from the start, by being actively involved in the planning of ISO/IEC 27001.

2.    Take into account the industry-specific requirements: Increasingly, industry associations develop standards for information security; in part, they are also - as with energy providers - determined by legislators. It is necessary to include them in the alignment of the ISMS, unless they are already part of their own compliance.

3.    Live the ISMS, don't just want to own a certificate: As important as a certification as a form of identification for information security can be to customers and business partners, so little of the actual value lies in such a labelling. Rather, the ISMS must be an integral element of the business organisation.

4.    Start with a GAP analysis: Even though, in many cases, they do not yet meet the ISO/IEC 27001 requirements, there are usually IT security measures already in place. It is important to build on this as much as possible to limit the implementation effort for an ISO-compliant Information Security Management System. The GAP Analysis can determine which established procedures are being used.

5.    Avoid unrealistic project design times: As self-explanatory as challenging targets should be, they can be counter-productive on a scale of implementation that is over-ambitious. Conversely, the commitment may be lost if project execution is too slow. Therefore, a great deal of attention must be paid to the balance between the ambitious alignment and what is feasible in the timeframe planned.

6.    Use lean implementation methods: The level of implementation and administrative overheads contributes significantly to the acceptance of ISO/IEC 27001-based ISMS at the levels of management. For this reason alone, resource and cost-saving lean methods should be used, without, however, forcing a compromise on the quality objectives.

7.    Caution in the complexity of the security policy: Although the standard elements of a security policy required by the ISO for the ISMS have to be complied with. In practice, however, it has sometimes a size of many dozens of pages which is not practical. The greater the complexity, the lower the willingness to be guided by it.

8.    Do not use a standardised policy from other sources: Every company has a specific organisational profile and individual security conditions. Accordingly, a security policy can not be derived from one developed with unclear criteria standards, even if it promises significant cost savings at first glance.

9.    Avoid escalating documentation: It is also helpful in the ISO/IEC 27001 documentation to be guided by the principle "think big, do small". You should achieve the required content validity, but without running into unnecessary depth.

10.    Ensure a broad understanding of ISMS: The information security management system works only as well as it is accepted by all the parties involved. Therefore, awareness measures are necessary in the interest of active participation. Wikis and other activities can also be a part of the internal ISMS marketing.

11.    Include management in the training: Only when the top management is involved in a concrete way, and not just on an abstract level will a sustainable relationship to the importance of an ISMS develop. For this reason, they should be encouraged to participate, at least partially, in the ISO training concerned.

12.    Create a CIP culture: The basic idea of the standard is that the security measures in the continuous improvement process (CIP) will be further developed. This requires a level of self-image through the relevant organisational procedures that do not appear on their own, but must be developed through training.

Contact us

Am 1. Oktober 2016 wurde der Geschäftsbetrieb der mikado ag auf die ft consult Unternehmensberatung ag übertragen.

ft consult Unternehmensberatung AG


ft consult Unternehmensberatung AG
Fürstenrieder Straße 5
D-80687 München

Tel.: +49 89 589 273 3
Fax: +49 89 589 273 59