First of all, risk assessment and treatment cannot be performed by downloading some template you’ve found somewhere on the Internet, or by using the first tool you come across. Risk management needs to be done based on a risk assessment and treatment methodology that is adapted to the size of your company, various requirements, and the sensitivity of the information you have. Too many times I’ve seen small companies using a risk assessment tool that is made for large corporations, only to realize they have spent six months performing work they could have finished in one month, and with questionable results. Therefore, before starting your risk management process, you need to find an appropriate methodology that will define how to identify the main elements of your risks (assets, threats and vulnerabilities) and which scales you will use to evaluate the consequence and the likelihood. Register for this free webinar for more information: The basics of risk assessment and treatment according to ISO 27001.
4. The resources required to maintain the certification
I’m afraid this concern shows one of the main myths about ISO 27001 – that the documents are written only for the purpose of certification. Let me give you an example – if you develop a Backup policy because you implement ISO 27001, will you require additional resources just because you are now complying with this policy? Or, what about if you performed backup normally before writing that policy, and now you want to make it clear to everyone how it is done?
My point is – you shouldn’t write the documents because of the auditor – you have to write them for yourself. And if you do so, there are no additional resources required because such rules become part of your daily routine; in some cases you will even have a smaller amount of work because some problems (i.e. security incidents) won’t happen again.
5. How much time will ISMS take me away from my main duties?
The answer to this question is very similar to that of the previous one, but I would add this – of course you will need someone who will coordinate all the information security effort in your company. But if you have, e.g. 50 employees, this will require perhaps a couple of hours of work per week, so this could be someone’s task in parallel to his or her normal job. Only when you pass the number of 1000 employees in a company should you consider a full-time CISO – but such an information security professional will probably save you so much money because of prevented incidents that such a move will certainly pay off. Register for a free webinar - ISO 27001: An overview of ISMS implementation process.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.