The NSW Digital Information Security Policy requires all agencies to build, operate and continually improve an Information Security Management System (ISMS) in line with the ISO 27001 standard.
Agencies whose risk profile warrants it, or who provide shared services, need to attain formal certification to the standard.
Developing an ISMS from scratch can be a daunting task. Where do you start? What should be included? How far should you go? What needs to be in place before you go for certification? These are common questions asked by agencies who are seeking to develop an ISMS.
For those agencies that already have an ISMS, how can they operate in harmony with other “management systems” such as the risk management system, the quality management system, the work health & safety management system and the environmental management system?
Centium has been asked to assist agencies with their ISMS in a number of ways:
In each case, we helped demystify the misunderstandings and fears associated with ISMS. This involved staff awareness training and linkages back to day to day workflows within an agency to help understand how an ISMS need simply be embedded and overlaid upon existing practices and operations.
For agencies that did not have an ISMS in place, we have designed and deployed an easy-to-operate, easy-to-understand, non burdensome management system that operated within existing business practices without the need for extra red tape and administration.
For agencies with an existing ISMS, we have developed an overarching “Integrated Management System” that pulls together other (disjointed) “management systems” in place such as risk management, compliance management, complaints management, business continuity management, environmental management and quality management. These were brought together as part of a singular, tactical, useable and understandable “integrated management system” with dashboard-style reporting tools for various stakeholders to reference. From Senior Executives, to Audit & Risk Committees, to middle management and front line staff.
For agencies who were preparing for certification, we have conducted pre certification checks and ISMS internal audits to identify gaps and areas for improvement. These have ranged from audits of “management system” elements through to detailed testing of selected “Annex A” controls per an agency’s Statement of Applicability and documented procedures.
Each of the agencies we have assisted have attained full certification, first time, all the time.
The ISMSs we have built have been practical and seamless. They have remained integrated as part of existing workflows and business operations without the need for additional overhead or “red tape”. Information security has been integrated as part of IT and non IT project lifecycles, change management processes as well as procurement and contract management procedures.
As a result of our work, information security has been adopted as a business issue; not just an IT issue.
Rather than building an isolated, disjointed “new set of rules”, we have integrated an agency's existing “management systems” into a unified whole with practical dashboard-style reporting to relevant stakeholders.