We employ information security standards and policies in our personal lives all of the time. While they may not be formally written down, these are things we must be cognizant of at all times. When it comes to establishing this framework at an organization, there is so much more to be aware of, and so many more regulations to comply with. In my house, a lack of information security cost me $25—at your organization, it could cost $25 million.
I needed an ISMS. Your company needs an ISMS.
For those of you asking, “What exactly is that acronym you just threw at me?” ISO 27001 is an information security management system (ISMS). An ISMS is a framework of policies and standards that encompasses a wide variety of technical, physical, and legal controls involved in an organization’s information risk management process. ISO 27001 uses a risk-based approach, is technology-neutral, and defines a 6-step planning process:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select-control objectives and controls to be implemented.
- Prepare a statement of applicability.
NIST (the National Institute of Standards and Technology) is a non-regulatory government agency that develops technology, metrics, and most importantly for the purposes of this blog post, standards and guidelines to help organizations meet the requirements of the Federal Information Security Management Act (FISMA) set forth by the federal government.
So whether it be ISO 27001 or NIST, ensuring that you are employing the proper policies and frameworks is essential. Not doing a regular assessment could cause major, unsustainable damage to your business. Having the right platform to help you organize all of the policies, risks and other pertinent information (trust me, there’s a lot) is essential.