Executive management is becoming increasingly aware of their obligations to shareholders, partners, customers, and regulators to ensure that their organizations are defended against, and can recover from, cyber attack. Cyber security threats are increasingly being taken seriously by organizations, and although there is some exaggeration by self-interested parties such as security companies and the news media, it is nonetheless clear from recent events that an increased focus on an information security management system (ISMS) for an organization is warranted. Just like finance systems, client management systems, and inventory management systems, an ISMS has become indispensable for modern business. Calder uses his significant experience to provide a short, high-level nine-step guide (one step per chapter) to the successful implementation and maintenance of an ISMS that is compliant to the ISO 27001 international standard.
The first chapter details the steps needed to define a project to implement an ISMS; it emphasizes that an ISMS is primarily a business system, not an information technology (IT) system. In addition, the absolute need for executive management engagement and commitment is emphasized. The components of the project mandate (also known as the project charter or project initiation document depending on your chosen project management methodology) are detailed. Chapter 2 covers the steps needed to successfully kickoff the project. Project initiation issues such as the project plan, risk management, governance, project team structure, and implementation approach are all covered.
Chapter 3 is interesting. Traditional IT system projects generally have a system implementation phase, a handover on project completion, and then an ongoing operational phase. Calder proposes using the continual improvement cycle from traditional ongoing operations, regardless of whether that be ITIL, COBIT, PDCA (plan-do-check-act), or any other formal process approach, as the engine for implementation. This is a novel and interesting approach and definitely worthy of consideration. After all, a successful organization that has survived in business for any length of time clearly has many of the processes necessary for an ISMS already in place, at least to some degree, and so an ISMS implementation project can be viewed as simply another improvement cycle.
Chapter 4 looks at the steps needed to establish a management framework for the new ISMS, including the communications and feedback strategies necessary for staff buy-in, and describes the development of an information security policy for the organization. Chapter 5 is a short, simple approach to assessing and integrating existing security controls into the new ISMS. One of the most significant aspects of managing information security is the assessment, mitigation, and general management of security risk. Chapter 6 covers this in a good level of detail, introducing the concepts, assessment and analysis practices, controls, and risk treatment options. Chapter 7 covers the implementation of a risk treatment plan in more detail, discussing the processes involved and the resource competencies and commitments needed.
One of the most important (and mandatory) components of an ISO 27001 compliant ISMS is the continual monitoring, review, and improvement of the system. Chapter 8 covers the issues of the ongoing internal monitoring, testing, and management review needed to maintain the effectiveness of an ISMS. Lastly, chapter 9 wraps up the project with advice on the certification process and the management and conduct of a certification audit.
The final two sections are appendices that list ISO 27001 services, tools, and training available from Calder’s company, IT Governance Ltd. As almost all supporting references are from IT Governance--and indeed the company is also the publisher--concerns may arise over objectivity; this is freely acknowledged by Calder in the introduction. However, the book is primarily a sharing of this company’s techniques for a successful ISMS implementation based on their experience, and there is no suggestion that their approach is the only one possible.
This is a concise and no-nonsense guide to the practical implementation of an ISMS. However, it is not a prescriptive and detailed work instruction, but more a high-level oversight of successful practices based on Calder’s past experience and containing excellent guidance for the ISMS implementation project manager. It is an interesting mix of details on ISO 27001 ISMS and project management methodology and will be a useful guide for an ISMS implementation project (although it is probably a better fit for smaller rather than larger organizations).