324. THE INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS) SUMMARIZED IN 10 RECOMMENDATIONS

This entry is also available in:

The implementation at the corporate level of policies and procedures for the secure management of information, allows not only the deployment of adequate technical IT measures, but also the realization of an organizational change in the way of working of all the people who make up the company.

The fact of having internal documents that serve as action guides allows not only to anticipate possible problems and weaknesses at the security and privacy level, but also, and in the event of suffering a cyberattack, to know how to give a quick and joint response between all areas. and affected departments, in order to contain the incident.

That is why we come to recall in summary 10 recommendations on which good security management in our company must be based (without following the strict order of the clauses of the ISO/IEC27001 Standard):

  1. Determine the context of the company in security aspects, taking into special consideration the legislation applicable to a certain type of data or activities (Data Protection – RGPD, Cybersecurity – NIS regulations, etc.).
  2. Consult opinions of interested third parties and adopt suggestions and recommendations from customers and suppliers to improve security.
  3. Compare current security management with the scope and field of application of standards and reference frameworks (ISO / IEC27001 or National Security Scheme ENS).
  4. Determine the existing risks and define the appropriate technical and organizational measuresto implement to mitigate them.
  5. Obtain the commitment and support of senior management to make the necessary changes in the level of security and adapt the activity of the company to the basic principles of confidentiality, integrity, availability and resilience.
  6. Assign clear and duly planned functions, responsibilities and competenciesover time and define continuous monitoring teams that adapt policies and procedures to the evolution of the company and the technologies used.
  7. Motivate and educate staff through training and incentives, so that they are able to determine the level of security applicable to each type of information and independently detect possible weaknesses or threats.
  8. Promote internal communication between all areas, and between them and the Security Manager or the IT department, through known and ongoing channels.
  9. Periodically review the security level through internal and external auditsto guarantee continuous improvement and correct adaptation to change.
  10. Consider the certificationof our Information Security Management System in accordance with ISO / IEC27001 or the National Security Scheme, as a seal of guarantee and trust.