Data is becoming the biggest and most important asset that any company has, and it's important to ensure that your company data is properly managed. From an IT perspective, this can be managed through an Information Security Management System, according to ISO:27001. This International Standard is a great reference when putting controls in place, or mapping what controls you already have to industry standards.
We started this process by performing a GAP analysis - going through the ISO standard and mapping what controls, polices, procedures and processes we already had in place. We found that most of what we had didn't quite cover everything we had expected it to do. There was also a lot of controls in the Standard that we hadn't addressed.
Our next step was to update all of the policies we had to make sure that they did address all of the controls that they were designed for. We were able to amalgamate a lot of them and expand the ones we had left so that by the end we had fewer, but more detailed policies. We collated them all in a single handbook and then created an index spreadsheet that listed all of the policies, the owners, dates for review, changes etc. so that we had a quick reference document.
Once this handbook had been compiled, we went back to the ISO Standard and looked at the areas we had not yet addressed. Some more policies were created and added to the handbook. We also looked at all our our procedures and processes - standardised them all and if applicable we merged them into policies, or added them as appendices in a standardised format.
Once this had been all been done, we split the book into different sections and published them to the different areas of the company. One for the General Staff, consisting of all policies that applied to everyone; one to the HR department that covered... you guessed it, HR Policies; one to our internal IT staff that was pretty comprehensive and covered all of our controls, polices, procedures and processes; and the final section was published to suppliers and 3rd parties that we work with, consisting of policies in relation to SLAs, contracts and other external procedures that we had in place.
We review this ISMS every year at a minimum to make sure that the policies and controls still apply to us and our current use of technology. It has given the staff, management and IT team a lot more confidence in our security and controls and we follow these religiously.
The above description is a very, very brief outline of the work we carried out, which took several months to complete. It is a huge commitment and takes a very large amount of resourcing, but once in place and part of the culture, helps to increase your security posture and gives your company and others confidence in how you process and store your data.
No comments:
Post a Comment