Info Sec Explained
What Are the Critical Steps When Implementing an Effective Information Security Management System?

What Are the Critical Steps When Implementing an Effective Information Security Management System?

Wayne McCaw's photo
Wayne McCaw
·

3 min read

After supporting more than 350 organizations in attaining ISO 27001 certification, we frequently encounter inquiries about the essential stages or fundamental components when establishing a successful information security management system. When we provide a response, one of the elements we invariably emphasize is "ensuring that you have the right resources at your disposal." This entails evaluating whether your human resources possess the necessary expertise, understanding, and proficiency to fulfill their respective roles. The pivotal query we will explore in this blog is how to assess the competence of individuals under your supervision in terms of information security.

The initial step for ISO 27001 involves a thorough examination to pinpoint your specific competency needs.

Within your organization, various roles can significantly influence the security of your information, either positively or negatively. These roles encompass a range of positions, starting with high-ranking executives such as your CEO and CFO. Additionally, senior management roles, like department heads, play a crucial part in this context. Furthermore, there are specialized positions, such as the information security manager, while the rest of the workforce falls into the general category. While the latter group, which includes your general workforce, may not require formal qualifications concerning information security, there are several internal competencies that merit consideration:

  1. Familiarity with the company's policy requirements.

  2. Awareness of the significance of their own contributions to information security.

  3. Knowledge of how to report security incidents and vulnerabilities.

Certain roles within your organization have a more pronounced potential impact on information security. These roles might encompass the information security manager, data protection officer, internal auditors, and technical security experts like firewall and Windows administrators. For these roles and similar ones, it is imperative to ensure that each individual fulfilling such responsibilities possesses the requisite competence in terms of experience and educational background or training. Once again, the starting point lies in defining the competencies needed, which may include:

  1. Formal education and training pertinent to their area of expertise.

  2. A minimum number of years' experience in a role related to their specialization.

Furthermore, beyond the aforementioned aspects, there are general competency prerequisites to consider. The often overlooked facet of competency revolves around "soft skills." These encompass qualities like emotional intelligence, teamwork, time management, and problem-solving. The significance and relevance of many of these skills are influenced by the organization's culture and core values. In our view, they can ultimately wield a substantial impact on the organization's information security capability. For instance, when examining the roles of an information security manager or compliance manager, a critical aspect of their responsibilities involves effective communication, influence, guidance, and motivation of others to adopt best practices.

Once you've defined your competency requirements, the next step is to assess the level of competency possessed by the individuals in the identified roles under your supervision. This evaluation may be simpler for some "hard" skills compared to "soft" skills, but various tools in the market, such as psychometric tests, can aid in this assessment. This assessment allows you to pinpoint any gaps in competency. When such gaps are identified, plans should be devised to address and eliminate them. This could involve training and raising awareness, but it might also entail recruitment or organizational restructuring, with individuals being placed in roles better aligned with their competencies.

Furthermore, it's vital to monitor both the competence requirements for roles and the competency of personnel fulfilling those roles, as changes in the business environment may alter the competency prerequisites, and advancements in technology can lead to competency erosion over time.

To substantiate the competency of personnel working under your purview, it's essential to maintain records as evidence that they possess the necessary skills to fulfill their respective roles.