The small but perfectly formed ISMS

Consulting for small organisations lately to design and implement their ISO/IEC 27001 Information Security Management Systems, resourcing constraints often come to light, particularly the lack of information security expertise and knowledge in-house. I have previously taken this to indicate lack of understanding, support and commitment from senior management, insufficient priority relative to all the other important stuff going on, hence my abiding interest in elaborating on the business case for investing in information risk and security management. Currently, though, I’m gaining a new-found appreciation of the realities of running a small business where even IT may be done on a shoestring, leaving information security way out on a limb.

With barely enough cash-flow to sustain the business during COVID and the obvious need to focus on core business activities, it’s no surprise if ISO27k implementation and certification projects take a back seat for now. That delaying tactic, however, leaves the business more exposed meanwhile, increasing the probability and impacts of incidents that should have been avoided, prevented or mitigated. It can lead to missed business opportunities and customer defections as they turn to certified competitors rather than waiting for the assurance an ISO/IEC 27001 compliance certificate would bring. It reduces trust and devalues brands. All in all, it’s a risky approach.

Putting the ISMS implementation on hold is not the only option, however. With some creative thinking, it is possible to keep the project moving along, albeit at a slower pace:

• A bare-bones minimalist ISMS, barely adequate to satisfy the standard’s mandatory requirements, may not deliver all the business benefits of good practice information risk and security management ... but it is both certifiable and better than nothing. A small but perfectly formed ISMS demonstrates the organisation’s genuine commitment to information risk and security management, gaining the assurance value of the certificate to third parties without the investment necessary for a full-blown ISMS. Furthermore it is a perfectly valid and sensible starting point, a platform or basis from which to mature the organization’s information risk and security management practices as and when it proves its value. It's a pragmatic approach. Being a pragmatist, I like that.
  
  
• Partnering with consultants reduces the pressure on employees, demonstrates management’s support (more than just the intention to resume the ISMS project ‘at some point’), and keeps up the momentum. Based on our practical experience and knowledge of the standards, we can generally help clients navigate the process by the shortest and most direct route, perhaps making small diversions only where it makes business sense. Speaking for myself, I’m happy to regulate my involvement according to the client’s wishes, matching their pace with mine. Having a portfolio of clients and interests on the go lets me juggle priorities, complete fill-in jobs and manage my workload (within reason! I’m merely-human, not super-human!).
  
  
• Even if the ISMS project itself is parked, there are still things that can be done, seizing opportunities that arise elsewhere to remove roadblocks or put in place building blocks to help jump-start the project at some future point. For example, since information risk is the main driver for ISO27k, it is possible to weave a subtle but consistent emphasis on risks into routine business activities, business meetings, policies and so on. Quietly gathering details of incidents, risks, controls, compliance obligations, assurance needs etc. can be done as a background activity, preparing for the fateful day when the parking brake is released.

One of my fill-in jobs has been to prepare and release SecAware Launchpad - a coherent suite of essential template materials for those minimalist ISO27k ISMSs I mentioned. When pared-down to the bones, there’s not a vast amount of mandatory documentation for ISO/IEC 27001 certification, hence Launchpad is lightweight and good value. I almost completely resisted the temptation to provide additional bonus content, incorporating just a few brief notes of explanation here and there where the standard itself isn’t clear.

My next fill-in job is to package-up more of that supplementary content as an optional extra add-on for organisations that need more guidance and want to build a more complete, functional and valuable ISMS. We have gigs of material already prepared through our awareness service plus the experience of using the ISO27k standards since before they became ISO27k, so it’s mostly a case of deciding what is necessary, looking for it and then adapting and rebranding it into another SecAware ISMS support package. I'll announce the new package here and of course on SecAware.com when it is released.