The value of an Information Security Management System for an organization A risk manager should always assume that the list of risks considered, however extensive, is incomplete. Douglas W. Hubbard ISO 27001 is an international information security standard, which sets a framework of requirements that an organization must meet to manage its security activities with success. The application of this standard is only possible through the implementation and adoption of an Information Security Management System (ISMS). An ISMS certified ISO 27001, without being an end in itself, clearly provides a guarantee of trust and quality on the topic of information security. Before you start In order to build an objective ISMS, Systancia first conducted a risk analysis for all its activities, carried out using the EBIOS method. In fact, the risk analysis is currently the basis for Systancia’s ISMS in setting priorities for the implementation of its security measures (i.e organisational or technical actions in response to an identified risk). The definition of an appropriate scope of the ISMS is an important prerequisite that should take into account both the requirements of stakeholders and the organization. The choice of a well-proportioned scope generally allows the organization to mobilize a sufficient level of resources in line with its own capacities. The definition of ISMS roles and responsibilities will then be a good exercise to check that the initial perimeter is able to meet all the requirements. Systancia has chosen to extend the system perimeter to all its activities (production, marketing, sales, etc.) because we are convinced that it is only by opening our eyes wide-to see what is around us that we can become more conscious of the risks we are exposed to. Technical or organizational measures The order in which technical or organizational measures are deployed is important for the IS governance. Sometimes some organizations do not take ISMS into consideration when designing and developing information systems technologies (IT). The integration of ISMS after a technical deployment can be very difficult, costly, or at worst impossible within a reasonable and acceptable period. From the point of view of an “ISO-based” ISMS, it would be sufficient to deploy organizational measures, and then to manage everything in a responsible manner in order to achieve good results. Be careful not to create a simple empty shell. Actually, we believe that organizational measures are effective and make ISMS relevant only if they are associated with technical measures, if they respect the implementation order as defined above. Not convinced of the usefulness of ISMS? Here is a short list of the benefits of ISMS: • Enhances an organization’s confidence in the management of identified risks • Creates an attitude based on continuous improvement • Provides the expected trust to stakeholders • Differentiates from competitors • Fulfills its legislative obligations and ensure regulatory compliance • Structures the security approach • Mobilizes and empowers management at all levels • Values human beings and skills around common objectives • Empowers each employee who in turn participates in continuous improvement • Contributes to the sustainability of the governance As you will have understood, security applied alone is fine, but with ISMS it is much better!