How much of a role does technology play when it comes to ISMS?
ISMS is not necessarily technologically driven, since information can be in various forms such as [physical] documentation or technology. The ultimate objective of putting a security policy in place is to protect the business.
Through ISMS, the essential focus is on protecting all the critical functions and making sure that downtime is kept minimal. Thus the spotlight is on people, processes and then on technology.
What are the aspects to be kept in mind while designing the ISMS?
The most important facet in any information security policy is its adoption. So while designing an ISMS you should look at HR, operative and business policies. Always consider steps taken by the organization for educating employees into increasing information security awareness and accordingly adopt policies.
Take the working environment into consideration. You should look at different processes adopted by the organization -- right from procurement and business to backup and email. Assess how these areas impact the business. Take into consideration the organization's policies to conduct periodic business analysis and the adopted risk assessment methodology. Within risk assessment, it is advisable to look at how a risk is assessed, and ways to arrive at the residual risk. What are the steps being taken by the organization to address those risks? What are the controls that are in place? Are those controls being periodically tested and reviewed?
Based on this review, look at the technology aspect. This technology can be for business operations, security or daily transactions. Thus, business processes and people have to be supplemented by appropriate technology. You can then consider the organization's outlook towards meeting business objectives while protecting assets.
Can you give us some ISMS implementation best practices?
Security is always a top-down approach. It starts from the top and then relays down to the grassroots level. By making use of awareness, education and elementary security drills, one can draw policies. A policy or procedure should not be so water-tight that business is affected, nor should it be very loose. There should be a balance between what you are trying to secure and how you go about it.
While implementing security, the process starts from the bottom, while policies have a top-down approach. Security is driven by business, and depending on the need of security for each unit, the overall impact will change. Even within the same vertical, organizations will have different needs.
What measures should be taken after implementing an information security policy?
A policy has to be reviewed regularly, as the business and people factors may change. Thus, you should continually update the policy according to these changes. PDCA -- Plan, Do, Check and Act -- is a standard method for this, which reflects continual review, implementation, and updates. In addition, a suitable framework should be adopted (such as ISO 27001 or COBIT) keeping in mind organizational needs.
A certification gives comfort to the stakeholder that the organization is secure. This does not necessarily guarantee that the organization is secure. It merely states that the processes have been followed. Alongside the processes, one should also look at the practicality. Conforming to these processes is a step towards ensuring security.