Some key components for the information security management system.
By Global Trust Association
10 June, 2019 | 22:06hrs
Today, it is more than obvious that the main component of the initiatives on management system lies in the commitment of the organization –as a whole– represented by senior management, which rules the company’s governance and whose participation is crucial for the management system to become a relevant item of corporate strategy. These initiatives are expressed in various ways through specific actions such as the provision of the material, human, financial, technology resources, etc., required for implementing such management system. Another important aspect is defining and approving an information security policy as a key element of this system and on which all management aspects such as plans, processes, procedures, etc. will be developed. This policy represents the corporate strategy’s essence, and includes a set of guidelines that everyone must comply with in order to implement and manage specific measures for safeguarding information.
Another key component –but not the only one– is laying down a risk management regarding information security, which will mainly allow identifying, evaluating, analyzing and dealing with the risks the company considers as threats –as well as opportunities– affecting the information used in the organization. Thus, the company should adopt a particular risk management methodology based on ISO 31000.
Certainly, a key component is also human factor, whether for the team directly responsible for carrying out the initiative, as well as for the team working in the company. Therefore, in line with risk management and particularly with the entire implementation, it will be essential that they can access all the information necessary to encourage their awareness and commitment, and so that they are clear about what actions they should or should not do regarding information security. As part of a superior strategy of awareness raising and understanding on the importance of information security as a company’s strategic asset, communication campaigns and trainings will be conducted