Implementing an Information Security Management System - Planning your ISMS
(Page 2 of 4 )
The thoroughness of the planning phase is vital to the ultimate effectiveness of the ISMS itself. A realistic and detailed plan should be prepared and agreed to, against which performance should be measured at every step of the implementation. This will ensure the process remains on track and that the ISMS ultimately addresses the required issues. The plan should also be open to review and reassessment in the light of experience. This will help ensure it retains the flexibility needed to meet the continuously changing requirements of most organizations.
It is essential to ensure management involvement and commitment at, or preferably before, the planning phase. This will be critical for later success, as decision makers will be implicated not only in financing the ISMS but will play a key ongoing role in its implementation. The involvement of management from an early stage will help to ensure that adequate resources are made available for the development of the ISMS.
It will also help to involve all related departments in the ISMS process. It is a common misconception that information security is the sole preserve of the IT department, whereas in fact it usually has implications throughout an organization. For example, HR departments will often have a critical role in spreading awareness of the ISMS, while those responsible for the physical security of the building will be involved with issues such as physical access control and the relocation of assets. At a more fundamental level, every individual who uses the IT infrastructure will be affected in some way by the ISMS.
Knowledge may already exist within an organization that has relevance to ISMS implementation. For example, there may be an existing quality management system (QMS). Where this is the case, relevant skills, knowledge and experience should be leveraged to ease the implementation process and reduce its cost.
The final major aspect of the planning phase is getting to grips with the standards and processes involved. This will involve the new system's owners familiarizing themselves with documentation such as the International Organization for Standardization's ISO/IEC 27000 series, and the Information Security Forum's Standard of Good Practice. If certification is the goal, consultation with a variety of certifying bodies leading to the identification of one with whom the applicant organization will work is highly desirable, as is strong familiarity with the technical and procedural requirements for certification.
