The Management of our company took the decision to implement an Information Security Management System (ISMS) aligned to the international recognized standard ISO 27001:2013. The objective is to protect the confidentiality, integrity and availability of Lahmeyer data/assets. This will bring more value to the company and more confidence to our clients.
Benefits of an Information Security Management System according to ISO 27001
Some companies may falsely believe that they don’t need a formal ISMS. They may have certain controls already in place or are deploying modern technology to protect themselves from cyber-attacks. However, the benefits of implementing an ISO 27001-compliant ISMS are far greater than many people perceive or realize.
- It encompasses people, processes and IT systems by recognizing that information security is not just about antivirus software. It also depends on the effectiveness of organizational processes and the people who manage and follow them.
- It helps you to coordinate all your security efforts (both electronic and physical) coherently, consistently and cost-effectively.
- It provides you with a systematic approach to manage risks and enables you to make well-informed decisions on security investments.
- It can be integrated with other management system standards (e.g. ISO 22301, ISO 9001, ISO 14001, etc.) ensuring an effective approach to corporate governance.
- It creates better work practices that support business goals by asserting roles and processes which should be clearly attributed and adhered to.
- It requires ongoing maintenance and continued improvement. This ensures that policies and procedures are kept up-to-date, resulting in better protection of your sensitive information.
- It gives you credibility among staff, clients and partner organizations and demonstrates due diligence.
- It helps you to comply with corporate governance requirements.
- It can be formally assessed and certified against ISO 27001, providing additional benefits: demonstrable credentials, customer assurance and competitive advantage.
ISMS – Challenges of the implementation process
As you may already know, a high-level implementation process consists of defining the scope, analyzing the current status of the processes, conducting gap analyses, writing policies and procedures (or aligning the current ones) and at the end approving and integrating those in Lahmeyer’s day-to-day activities. Sometimes this integration may take time, depending on the size of the company, on when it has been established and of course on the corporate culture. And sometimes, the employees may not be all in favor of the process.
There are 6 recognized phases for managing cultural changes which almost every company goes through:
- Denial Phase: “They aren’t really going to go through with it”
- Anger Phase: “What a waste of time and money”
- Bargaining Phase: “If they want me to do that, fine, but I won’t have time to do my other duties” or “if they make me do that I’ll resign”
- Depression Phase: “This is really happening and there is nothing I can do about it”
- Acceptance Phase: “Well this is how it is, but things aren’t so bad”
- Moving on Phase: “Actually this new set up is better than the old one and I can make this work for me”
It looks very straightforward at first glance, right ?? But many companies are making mistakes when trying to decrease their implementation costs by narrowing the scope of measures or neglecting some of the requirements of the standard.
Data protection in our own house: ISMS at Lahmeyer
To achieve the challenging task of setting up an ISMS, I had initial meetings with many Lahmeyer business process owners and managers. This is an important step in the implementation because I could get a deeper understanding of the processes, different business specific requirements and, last but not least, the defining interested parties. To organize these meetings, I had to send the meeting requests 2 weeks in advance. At the beginning, I was surprised that I had to wait two weeks for a 1-hour meeting. However, later I realized that this is due to the fact that Lahmeyer works on a lot of clients’ projects. Key employees are on business trips quite often to meet with the clients.
Senior Management Support is the key
There is no way how not to mention the fact that one of the essential elements for implementing ISMS is Senior Management support. Luckily, this is strongly the case in this project. Based on my experience, I can say that this support will boost the process. How? For example: When I joined the company, there were no physical access controls on the main section doors inside the building. This means that persons from outside the company could easily enter the building with the pretext that they are going to take a lunch. Once inside the building, they could walk freely without any limitations. Now, the situation is way better: Physical access controls have been installed on each section door. Without an appropriate access card, they will not open. A little bit more secure, right? ?
So, without management support, how would you ever be able to implement such security controls? It just doesn’t work! Of course, I had the support, and I have help and from my colleagues in the team who have strong knowledge and vast experience in the Industrial Control Systems (ICS) world. They are always up-to-date on the cyber security threats present in different power plants and on the way how to mitigate them.
Interested? Learn more details on ISMS integration in part 2….stay tuned