In our previous articles on Information Security Management, we have discussed Information Security Management Systems (ISMS) and the need to keep them simple.

The international standard AS/NZS ISO/IEC 27001:2023 Information security, cybersecurity and privacy protection – Information security management systems – Requirements, is a risk-based standard that requires organisations to consider their risks relating to information security, and then implement the required controls to manage these risks.

For many businesses, the thought of implementing yet another management system may seem overwhelming and unnecessary.  It must be recognised, however, that a management system is simply a structured manner to document an organisation’s approach to a risk: in this case, information security.

At its core, any Management System should satisfy 3 simple steps:

  1. Say what you do” – The necessary policies, procedures, guides, instructions etc.
  2. Do what you say” – The implementation of these documents throughout the organisation, with implementation referring to the complete spectrum from strategic to operational.
  3. Prove it” – The ability of an organisation to be able to verify that the system is current, implemented in all relevant areas, evaluated and reviewed for effectiveness, and is achieving its objectives.

This approach provides a simple mantra: ‘Say it,’ Do it,’ ‘Prove it.’

These 3 steps must be considered when developing an ISMS, even for smaller organisations. While certification to ISO 27001 is not currently a universal requirement, larger organisations and many government agencies are moving towards the implementation of an ISMS being mandatory.

For example, the Queensland Government’s Information security policy (IS18:2018) mandates that Departments must implement and operate an ISMS based on the current version of ISO 27001.

A starting point for any organisation in wanting to develop an ISMS is to review the context of the organisations information security risks using the ISO 27001 standard controls.  These are contained within the standard’s Annex A Information Security Controls and include 93 Controls grouped into 4 themes:

  • People (8 Controls)
  • Organisational (37 controls)
  • Technological (34 controls)
  • Physical (14 controls)

Very seldom will all 93 controls apply within an organisation, hence it is important to review what is applicable to the organisation (noting that of the 93, only 34 are actually Technological or IT related, with the rest being People, Organisational and Physical controls).

Mapping these controls within the context of the organisation is the first step towards demonstrating an awareness of your information security risks, and can assist you towards the development of a simple and effective ISMS.

Should your organisation require assistance, please contact QRMC for more information.