Introduction
Hello. I’m Stuart Barker, the ISO 27001 Ninja and we’re going to go through ISO 27001 Clause 4.4 The Information Security Management System (ISMS). We’re going to go through the overview and give you all of the insights that you need. What it is, what it’s about, common mistakes that people make, answer a few FAQs,The purpose of this is to empower you so that you can implement the control and implement the clause for ISO 27001certification. How great is that?
The definition of ISO 27001 The Information Security Management System (ISMS)
The book definition , the book definition is – the organisation shall establish Implement maintain and continually improve an Information Security Management System including the processes needed and their interactions in accordance with the requirements of this document.
That is ISO 27001 2022 version of clause 4.4 the Information Security Management System (ISMS) so there’s not a lot of words in there, a bit of a recursive definition, what is an information security management system? Have an information security management system. Nice and easy?
What is ISO 27001 The Information Security Management System (ISMS)
Basically what are we looking at, 27001 is a risk-based system. It’s a system based on understanding what the risks are to you and your organisation and then implementing controls to mitigate those risks but the management system element itself is about how you organise yourself, how you manage and how you deliver the information security management.
When it comes to the standard itself I know people get a little bit twitchy about it and lots of people make a lot of money off at the back of it but the standard itself is actually only 10 pages of valuable content. It’s only 10 pages and when it comes to this particular Clause that’s it, that’s the entirety of the guidance you get, but obviously we’ve been through hundreds and hundreds and hundreds of audits and we’ve done hundreds of implementations so we know exactly what you need.
The fastest way for you to develop and implement an ISO 27001, the fastest way to implement an Information Security Management SystemInformation Security Management System (ISMS) clearly is going to be to purchase and acquire the ISO 27001 Toolkit. It is the most aggressively priced, technically I think it’s one of the, in fact, it is the cheapest commercially available ISO 27001 Toolkit on the market today. It is ruthlessly effective and over 4,000 people have used the toolkit and my process and my methodology to get themselves ISO 27001 certified and no one, not one of them, has failed yet. It is lightweight it is designed for small business, it is designed to remove bureaucracy but give you what you need. That’s the sales pitch, but there are different ways of going about it.
The different ways to implement an Information Security Management System management System
You could, and you should buy a copy of the standard, but you could purchase a copy of the standard and look at all of the Clauses that make up the standard and then from that try and work out what the documentation is that you require, then create that documentation, that’s an approach.
You could buy the ISO 27001 Toolkit, we’ve just said that, which is the easiest and the fastest approach.
You could engage with a consultant. A consultant, for a build and implement of a management system is going to be around about the £10,000 to £15,000 mark. The great thing about a consultant is many of them now use my toolkit, I have a consultant version of it, so they use that and implement that on you. You could just purchase it yourself, but anyway, it is what it is, or another option is you could buy one of these online SAS management system platforms, and there are many out there.
The benefits of an online management system platform? I can’t really think of any.
I’ll do another blog on those on another day.
The typical cost around those is going to be any anywhere between £10,000 to £40,000 a year, licensing, training, documentation within their format, Etc but you could, and many people do and many people are successful with them.
So you have got four routes about how you can build your management, your information security management system.
What is an information security management system?
What is an information security management system made up of fundamentally made up of? Fundamentally it is made up of policies, so policies are statements about what you do, it’s made up of processes, processes are the statements of how you do it, it’s made made up of the management roles and responsibilities, it’s about having leadership buy in and it’s about having various processes that are specific to how you run a management system. What do I mean by that? So for example, having that process of continual Improvement, you need an Information Security Management System (ISMS) that is continually improved. It is made up of documents, do you need to have something complicated? No you don’t. You know Microsoft Word, Microsoft Excel are perfectly fine. If you have tools already such as Confluence and SharePoint, perfectly fine. Use of tools like Jira or Monday, perfectly fine. I mean you can reuse what you’ve got, you don’t necessarily have to reinvent the wheel. Or as I say you can buy some of these online platforms if that’s the route that you want to go down.
The purpose of the ISO 27001 The Information Security Management System (ISMS)
The purpose of an Information Security Management System ensure that you are managing information security but by having it documented you’re going to have maturity of process, so you’re going to have something that is written down, something that is repeatable and ideally something that the outcome of running is the same irrespective of who does it. So by having that process maturity, you are going to increase your information security management effectiveness.
The 2022 changes to the information security management system
What are the changes, okay, this is a question, what are the changes to Clause 4.4 in the 2022 version of the standard? To be fair, not a lot, in fact the entirety of the ISO 27001 2022 update was minimal impact and there’s another blog on that but one of the most significant ones was – it changes the words ‘this standard’ to ‘this document’. I don’t know why. It removes a couple of ‘and’s it removes a couple of ‘a’s but in terms of this particular Clause it now has an addition on its sentencing that says – including the processes needed and their interactions. This has always been the case and we’ve always done that but the reason that it does it is to be absolutely clear that processes are included rather than implying it but in essence nothing has changed. If you’ve got a 2013 version of the standard you’re going to be golden and if you haven’t, you come to it, you know, it’s not adding anything above and beyond what you would have done before.
Who is responsible for the Information Security Management System (ISMS)?
Our information security management system is the responsibility of Senior Management and Leadership. Senior Management and Leadership are responsible from leading from the top, this is a standard about top-down leadership, therefore, the buck ultimately stops with them. When it comes to the implementation of it, ideally you’re going to have somebody who does similar to what I do for a living, you know, somebody who is aware of Information Security Management and is aware of Standards. That could be an internal resource, it could be an external resource, a contractor, a consultant, whatever it may be but it’s going to land on them. Typically, what we see though is for organisations that don’t really understand it and don’t really get it they give it to somebody in IT because they think it’s IT related which it isn’t and then they put all of the emphasis on the IT person to deliver it and typically, then they reach out to me, use my toolkit, use my free 1 hour a week, get involved in my calls and I help and I support them through it but accountability and responsibility exists with the leadership.
Best practice for an Information Security Management System
If I was looking at best practices when it comes to our management system, around having a management system, they are –
Business needs
Understanding business needs, we want to make sure our business, our information security management system, meets the needs of the business.
Policies
We’re going to write and Implement policies. Policies are a fundamental part of that.
Training
We’re going to train people and ensure that we educate them and implement a culture of information security.
Secure Devices
We’re going to secure devices, you know, and technology, fundamentally it’s a high-level approach to the controls that we’re going to do.
Backup
We’re going to make sure that we put them in backups and we’re going to back up a lot.
Continual Improvement
We’re going to continually improve, continual improvement is again baked into the standard, our information security management system has to have the ability to continue to improve and there are a number of steps and processes in future blogs that will go through that
Audit
You’re going to continually audit and audit is going to be part of your life, the management system has built into it internal audit so you’re continually naval gazing and reviewing yourself and doing your internal audits against the standard ISO 27001 and against the annex a controls which is ISO 27002. So you’re going to have this process of internal audit ongoing and you’re going to get externally audited a lot, I mean your clients are already if not, if not already, going to be auditing you, asking you for questions and if you go for certification you’re going to get through a certification audit. Audit is going to happen a lot.
Design for audit
When it comes to the management system and audit again you want to design your management system how I have the toolkit, you want to create artefacts that you are asked for on a regular basis. The way that I design my management system is, yes to manage effectively, but also to answer the questions that I get asked a lot and you must get these, client third party supplier questionnaires are always asking you for similar documentation irrespective of whether or not you have certification, and again many people believe that by having ISO 27001 certification that’s going to be the end to the third party questionnaires and the external audits. It isn’t. It isn’t. Again, you know you want to get that myth out of your head, even with certification, they’re still going to ask for it. So when you build your management system build it in a way that is effective and efficient for you to manage but also for you to respond to third party questionnaires and to those third party audits. It’s going to make your life so much easier.
3 Mistakes People make
If I was going to look at three mistakes that people make, okay, that’s so what are the top three mistakes that people, people, make?
In my opinion buying a portal or a web based tool you know that is my number one mistake that I see people make. The tools are fantastic for what they do, for the market that they’re aimed at but they’re not for everybody, they are absolutely amazing in terms of their marketing and promising you the world but whether or not they can actually deliver to your requirement, you know, is going to be based on your individual need, so jumping in straight in to buying a portal is the number one mistake that I see and I get so many people that come back to me, you know, know months in, going – oh the cost of licenses is too high, to turn on these features is costing me money, to do this is costing me money, I thought it would do this and it won’t do it. You go no keep it simple, keep it as simple as you can. Why would you over engineer it for the majority of people and specifically, my audience, you, which tends to be small businesses, you don’t have £10,000 to £20,000 to £30,000 to £40,000 on a tool where you still have all the work to do, why not just do the work and save yourself all that money?
The second biggest mistake that I see is doing it yourself with no help at all. Again, yes, can you do it yourself? Yes you can but why wouldn’t you take advantage of very, very, low cost resources that are proven to work? Why wouldn’t you take advantage of a free one hour a week q & a with me, you don’t have to pay thousands of pounds of Consulting. There are resources that are available to you and you are not on your own. You might want to do it yourself, that’s not a problem, but you’re not on your own. Reach out and consume the resources that are available to you.
The number three, the third mistake, the biggest mistake when it comes to a management system, is giving it to IT to sort out. A fundamental leadership misunderstanding of what it is, they go, oh this has got to be about antivirus this has got to be about hacking. It isn’t. It’s such a small element of it. It is a management system. Clause 4.4 a management system. A system of how you manage. It is not a technical standard, it is not a technical checklist, so my biggest mistake number three is going – here IT go and deliver that. They look at it and go this is completely and utterly outside of my wheelhouse, what the hell am I going to do now, and usually that’s where they land and they end up with me.
How to implement it
So in terms of your management system Clause 4.4 my advices – I would say start with something like my ISO 27001 toolkit, there are other toolkits available, compare contrast, look at their pricing, look at their options. I’m not saying definitely buy it, what I am saying is start there and then layer on additional services of of help as you need them. Identify what the help is that you need rather than going to the most high cost answer that you might not need. Build up slowly because you will shock yourself and surprise yourself with how easy this is with the right guidance and the right tools for you to deliver it.
Conclusion
Be sure to subscribe to the YouTube ISO 27001 channel. My name is Stuart Barker. I am the ISO 27001 Ninja. This was ISO 2701 Clause 4.4 the information security management system. Until the next blog – peas out!