From underpinning regulatory compliance to implementing key data-security protocols, Information Security Management Systems (ISMS) have become an integral part of any successful company’s operational strategy.
With thousands of companies worldwide either certified or in the process of doing so, it is clear to see that more and more organisations are pro-actively engaging with ISO 27001.
While getting any system implementation right is paramount to any business, it is fair to say that seamless execution is even more of a priority for SMEs who traditionally manage their IT in-house.
Most organisations run into minor issues along the project way – correctly assigned project staff, resource and information management, interpretation and dissemination of requirements etc. In this post however, we seek to address the three main challenges facing SMEs when it comes to an Information Security Management System (ISMS) implementation.
It’s Just Not A Priority!!
One of the first step in any implementation is to form a team. Usually made up of personnel from across different business units, this team of stakeholders are responsible for successful project delivery and roll-out of the ISMS. In contrast to larger organisations, this assignment is in addition to the team’s day to day Business As Usual responsibilities and herein lies the first challenge!
I Have More Important Things To Do Right Now!
Vital to overcoming staff push-back is directive leadership. By reinforcing the crucial importance of an ISMS and instilling a sense of urgency vis a vis organisational strategy towards regulatory compliance and client security, senior management can positively influence dissenters.
In highlighting the ‘real-world’ value-add of on ISMS and the significance of Information Security (IS) to cross-divisional function, leadership can ensure early staff buy in.
This can be achieved through:
- Clarity of IS responsibilities when agreeing employee job function
- Setting measurable IS objectives with defined responsibilities and deadlines
- Nominating dedicated IS evangelists within business line
Nothing To Do With Us, Not Our Problem!!
There a common misconception that smaller businesses are less impacted by information security than larger corporations or government agencies (such as Eirgrid and the HSE, both of whom were recently targeted by ‘state-sponsored’ hackers).
Yet, recent research shows that just under 60% of SMEs (or more than half of all businesses) have fallen victim to a cyber attack. Worryingly, many business fail to report these attacks meaning those statistics could potentially be much higher, a risky (pardon the pun) mindset which places them in ‘double jeopardy’.
Securing total employee buy-in and ensuring that IS processes and procedures are taken seriously, will help mitigate against the ‘risky business’ ethos.
Possible steps to be considered are:
- Mandatory training and awareness sessions for all personnel
- Functional testing by way of security drills followed by ‘lessons learned’
- Continuous risk assessment – measure and monitor
I Really Don’ t Have The Time!!
In these busy times, many of us have to work to tight deadlines. Our days are already filled with a myriad meetings, conference calls, meet and greets, lunch-and-learn sessions and endless to-do lists. So getting staff on-board to take on additional responsibilities can be quite the challenge, right?
Well, look at it this way. It’s a reasonably simple task to take on a monthly time ‘fixes and patches’ time-out; it’s not so simplex when IT have to enforce a 24 hour systems outage because 12 months worth of F&Ps have to be updated onto the data-centre’s servers!
Contextualising situations helps staff understand and buy into new processes, and as referred to earlier, scheduling fire-drillesque ‘dummy runs’ of hypothetical but very real scenarios will create even more of an impact.
Actions that might encourage on-boarding are:
- Compare and contrast reactive remediation and proactive adoption by contextualising them
- Encourage active participation by personnel in the development of new processes and sign off on a manageable workload; people are more susceptible to change if they are engaged with process from an early stage
- Detail the cost and risk implications to the organisation with the occurrance of an IS breach.
Kicking Implementation Challenges Into Touch
No matter its size, shape or sector, an organisation moving to implement ISO 27001 will face some sort of challenge(s). What is critical though is how these impediments are viewed and overcome.
Our top-tip for any business thinking about implementing an ISMS and getting ISO 27001 certified, is this.
Ensure all personnel fully comprehend the importance of information security management and are on board with the resultant changes to the business. This will make for a less bumpy road to implementation.
For more details on Information Security management or to discuss getting ISO 27001 certified, contact 01 – 620 4121 to chat with one of our team.
