Information Security Management Implemented Right the 2nd Time

Client: The client is a small company (160 employees) that provides technical and professional support services to professional partnerships and limited liability partnerships.

Project: Work with the client to implement an ISO 27001 information security management system (ISMS) for the organization.  The client had worked with another consulting company and had gotten certified but was dealing with a disconnect between their information security management system and their day-to-day information security activities.

They paid their consulting company for a set of document templates and consulting services to complete them.  The generic nature of the templates bore little resemblance to the actual information security activities of the organization.  There were also key components for a conformant ISMS that were missing.

The ISMS represented a “documentation exercise” that was undertaken a short time prior to their first surveillance audit.  The ISMS documentation was largely unused by the security and technology teams.

Summary:  JBW Group worked with the client to identify and document information security objectives and security-related activities directly applicable to the enterprise.  Actual risk assessment activities were formally captured and security policies were updated to accurately reflect the nature of the business. 

Generic legal and regulatory “requirements” were replaced with an actual assessment and impact analysis which was submitted to General Counsel for review and approval. Superfluous documentation and meaningless metrics were dropped in favor of measurements that provide insights into managing risk for the organization.

Value-add:  Dropping the template documentation in favor of capturing the organization’s actual security and technology activities has resulted in a significant reduction in workload for the IT department and the facilitation of a continual assessment strategy for risk management and technology.

The transition to ISO 27001:2013 was completed with a minimum of effort and consulting dollars since much of what was completed as part of the “2nd” ISMS implementation was directly applicable to the 2013 version.