For many companies, knowledge and information are the most valuable assets, and they are often particularly vulnerable assets. This is because risks to the security of relevant information exist now more than ever, through simple digital data exchange along increasingly complex supply chains, externally managed cloud services, and the growing threat of cybercrime. There are also human errors. An Information Security Management System is the method of choice to keep risks calculable and protect oneself.
The most important points in a nutshell
- An ISMS makes the information security risks for companies calculable and manageable.
- In industries with complex, regulated supply chains, such as the automotive and health industries, an ISMS is usually a key prerequisite for market participation.
- In addition, even though not mandatory, an ISMS will be highly valuable and useful for all companies.
- Information security goes far beyond IT security.
- The responsibility for the implementation and operation of an ISMS always lies with the management (top-down approach).
- The individual risk appetite of an organisation decides on the implementation and scope of an ISMS.
In this article
- Why is interest in Information Security Management Systems (ISMSs) increasing?
- Who needs an ISMS and why?
- Has the entry into force of the GDPR increased the demand for ISMSs?
- What is the difference between IT security and information security?
- What is an ISMS and how does it work?
- What steps are necessary to establish an ISMS?
- Are there other standards besides ISO 27001 that should be observed?
- Which factors are decisive for a successful ISMS deployment?
- Conclusion: What are the benefits of an ISMS?
Why is interest in Information Security Management Systems (ISMSs) increasing?
The increasing pressure on many companies to implement better or specific standards for information security ultimately led to a heightened interest in ISMS. This pressure is mainly exerted on companies whose services and products involve complex supply chains. One example to consider here is the many small and medium-sized enterprises (SMEs) in the automotive industry. The same applies elsewhere, for example, in the highly regulated banking sector with its FinTechs, and analogously in the insurance industry with a growing number of InsurTechs. Information security requirements are also high in the health care sector. In addition to immediate data protection, these industries have a regulatory impetus that extends far into corporate compliance.
Beyond industry-specific causes and needs, however, there is also a general trend towards greater information security. For example, we are hearing and reading more and more about data theft and ransomware attacks by hackers. Cybersecurity and cybercrime are popular topics because companies want to know how other companies conduct business while handling risks.
Who needs an ISMS and why?
An ISMS generally makes sense for all companies, regardless of industry and size of the company. The majority of focus is on software-driven, digitised and SaaS-based companies. Health markets, for example, have strict minimum standards that must be observed in the field of information security to ensure medical confidentiality.
In the automotive industry, it has more to do with the product: The product is so complex and produced by so many people that there are strictly regulated approval processes to go through before a vehicle can be on the road. Anyone involved in the supply chain must meet the information security requirements applicable in the industry – without exception.
Has the entry into force of the UK GDPR increased the demand for ISMSs?
There isn’t a direct connection between the UK General Data Protection Regulation (UK GDPR) and an increased demand for ISMSs because an ISMS is usually not regulated by law. The UK GDPR contains no legal obligation to establish an ISMS, even though companies do have an obligation to set up suitable technical and organisational measures to protect personal data. However, we do clearly see that UK GDPR has sharpened companies' awareness of the topic of information security.
The Technical and Organisational Measures (TOMs) required in the UK GDPR could be correlating factors. Although TOMs primarily include IT measures to protect personal data, on closer inspection, it quickly becomes clear: Data protection achieved through IT security remains incomplete if information security measures are not implemented at the same time. You cannot have one without the other.
You are still uncertain about information security and IT security? No problem! We have a complete Whitepaper for you on this topic that will answer you questions on information security standards. You can download it here for free:
What is the difference between IT security and information security?
IT security involves infrastructure like computers, servers, clouds, lines etc. and enforces the security and protection against unauthorised third parties. Information security, however, goes further to protect how IT transports and processes information. The information itself is the real asset. It exists independently of IT and must be protected in all its forms. For example, even in the form of a file full of printed pages or company-specific knowledge. In a nutshell, this means: Every IT security measure contributes to information security, but not every aspect of information security has something to do with IT security (cf. Figure 1).
What is an ISMS and how does it work?
Management systems for information security in companies are process-oriented and – as the name suggests – always the responsibility of the management. In other words: The ISMS follows a top-down approach. Management can delegate implementation, but not the responsibility itself. Depending on the motivation (cf. Figure 2, left side), the management decides which measures and mechanisms (cf. Figure 2, right side) should be implemented or established in order to ensure the desired level of information security in the company processes. The scope, intensity, and progress of the individual measures must be continuously monitored and controlled by the management.
To clarify: An ISMS is not about achieving maximum information security. The goal is rather to achieve the level of information security desired by the organisation. The risk appetite is the decisive parameter. A company needs to know what information it has, what risks it is exposed to – and what a materialised risk would mean financially. Based on this knowledge, the management then must decide to what extent the risks should be reduced by an ISMS. The ISMS is ultimately an instrument for financial risk management.
What steps are necessary to establish an ISMS?
The requirements for the establishment, implementation, maintenance, and continuous improvement of an ISMS are specified in the international Standard ISO 27001. To put it simply, the establishment and operation of an ISMS follow a classic PDCA cycle. PDCA stands for PLAN, DO, CHECK, ACT (cf. Figure 3).
The steps to take in detail are:
- Create an ISMS policy. Why do we as a company want to establish an ISMS? What goals do we expect to achieve with it? How do we implement such a system organisationally? Who assumes the role of the information security officer (ISO)? What resources does he/she have? What measures need to be taken?
- Identify and classify assets. Which assets/information do we want to protect? How sensitive are these assets? Automotive example: Images of a prototype vehicle that has not yet been built would be much more in need of protection than images of a test model in a road test, i.e., a vehicle shortly before its market launch.
- Establish ISMS organisation and risk management structures. Which tools do we want to use? What financial and human resources does the ISO have? Which structures should this establish?
- Develop control mechanisms. How do we check whether the ISMS is effective and protects our company assets as desired?
- Operate ISMS. Which processes do we put into action in everyday life? How do we integrate and document them?
- Check results and KPIs. It should be questioned routinely: What results does our ISMS achieve, and which key performance indicators (KPI) do we derive from them?
- Make corrections and take precautions. In which areas do we need to improve based on the results? How can we counter risks preventively?
- Review by the management. Do the ISMS goals and the general orientation still fit, or are course corrections by the management needed? This should be analysed at least once a year.
Are there other standards besides ISO 27001 that should be observed?
ISO 27001 could be described as the gold standard for Information Security Management Systems. Depending on the industry, market and national legislation, other standards may also come into consideration. In the UK, the National Cyber Security Centre has issued the Cyber Essentials scheme that aims to protect organisations against common cyber-attacks.
The NIST Standard (National Institute of Standards and Technology) 800-53 is important for cooperation with US government information systems. The international Service Organisation Control Standards SOC 1 and SOC 2 can also be relevant with regard to a company's financial reporting.
Which factors are decisive for a successful ISMS deployment?
An ISMS can only be successfully implemented if it is truly desired by the company management and afforded the necessary resources. The ISO needs the trust of the management and must be authorised to act, so that he/she can ensure a smooth interaction between people, tools, and processes for information security.
Do you actually face fines if an ISMS is not implemented?
No, at least not to the same extent as with violations of the UK GDPR. This generally applies to all companies and makes explicit provisions for fines. The scope of the UK GDPR is very broad, and it makes having a data protection officer (DPO) compulsory in many cases. The analogous role in an ISMS is the information security officer (ISO). In order to be audited according to ISO 27001, companies would usually be expected to have an ISO. As with the DPO, this role can be assumed by an internal specialist or an external body. However: There is no legal obligation to either implement an ISMS or to appoint an ISO.
In the UK, in addition to the obligations under the UK GDPR and the Data Protection Act 2018, if public electronic communications service providers fail to comply with their obligations to safeguard the security of their service under the Privacy and Electronic Communications Regulation 2003 (PECR), they can incur a fine of up to £500,000.
Why should companies implement an ISMS for their own interest?
There are a few good reasons for this. For example, anyone who operates in a market that is still under-regulated can score points with their customers with high standards of information security and improve their competitive situation. In any case, an ISMS increases the value of organisations, because only an ISMS provides a precise overview of the processes and informational assets in your own company. When looking for potential investors, an ISMS pays off immediately: If there isn't one, a due diligence check is only possible to a limited extent.
There are also reasons inherent in the market. For the automotive industry, for example, to enter this highly regulated market as a company, it is essential to meet industry requirements and have an ISMS. Staying proactive and implementing ISMS regulations prevents potential security incidents and acts as a safeguard for the future.
Is the establishment of an ISMS different depending on the industry?
The relevant standard ISO 27001 does not provide any information on this. It does not differentiate according to industry or company size but defines the general requirements and addresses 14 security-relevant areas. These are the same areas that are also inspected carefully during the due diligence check. In a nutshell: The same framework conditions always apply, but the implementation of the processes and measures can be very different depending on the industry and the size of the company.
Conclusion: What are the benefits of an ISMS?
In terms of information security, an ISMS ensures transparency, as well as predictable processes and KPI results. In other words: With a well-implemented ISMS, there are no surprises when it comes to information security issues. Benjamin Franklin is credited with a phrase that inversely sums up the benefits of an ISMS: “When you fail to prepare, you prepare to fail.”
"IT security involves infrastructure like computers, servers, clouds, lines etc. and enforces the security and protection against unauthorised third parties."
You have further questions on the appointment of a DPO, or you're already looking for an external solution? Our experts will be happy to answer any question. Feel free to reach out for a free consultation!