Why do you need an ISMS?
Once we have carried out a network security check in your company, performed a penetration test and worked with you to ensure that the findings obtained through all these activities are translated into practice as comprehensively as possible, it’s time for an ISMS.
We would argue that an ISMS is one of the most important sets of policies and procedures that you adopt in your company, alongside its memorandum of association. Without it, any effort to improve the security of IT systems is futile. But why?
The decision to address the state of information security in a company must come from the very top. It’s no good if the IT department is trying to improve security without the support of the company’s management.
Only through a system of rules, security policies, work instructions, process descriptions, document flows and so on, can the management of a company involve all employees in its security.
The fact is that everyone in the company is responsible for information security – vertically, from the CEO to the janitor, and horizontally, from the IT department through to production and accounting.
Vodstvo podjetja pa lahko samo skozi sistem pravilnikov, varnostnih politik, delovnih navodil, opisov procesov, tokov dokumentov in podobnega, v varnost podjetja vključi vse zaposlene.
Dejstvo je, da so za informacijsko varnost v podjetju odgovorni prav vsi. Od direktorice do hišnika, če gremo po vertikali, in od IT oddelka, prek proizvodnje do računovodstva, če gremo po horizontali.
What is an ISMS?
An Information Security Management System is a tool for standardising your company’s processes, and if your employees know and use the ISMS in their work, at a minimum the effects will be as follows:
- a higher level of information security,
- reduced risks of unauthorised access to information,
- better control of the services rendered by outsourced contractors,
- near total compliance with legislation such as the Personal Data Protection Act (ZVOP), the Protection of Documents and Archives and Archival Institutions Act (ZVDAGA), and the Electronic Communications Act (ZEKOM),
- improved safety and quality of business processes,
- and finally, a competitive advantage.
From the information point of view, an ISMS makes sure your company’s data and its handing are always characterised by:
- Confidentiality. The data are protected from unauthorised access and disclosure.
- Integrity. The ISMS ensures procedures to safeguard the accuracy and completeness of the data held in the software.
- Availability. IT services and information are available when users need them.
An ISMS is dynamic and evolves with your company
Ideally, an ISMS should be updated as and when changes occur in a company’s processes. For example, your company may have recently updated or completely changed the infrastructure that takes care of data backup. The custodians of the individual documents in the ISMS system must keep all changes up-to-date so that the documents remain as consistent as possible with the actual situation in the company.
Even if your company does this on a regular basis, it makes sense to have its ISMS audited at least once a year. This way, an external company can check whether your ISMS is still in line with your company’s practices.
How can we help?
- We build a bridge between a company’s management and the IT department. We act as a temporary outsourced or hired CIO, CTO, and COO, and when we’re finished we leave behind an orderly environment where the management understands the IT department, and the IT department understands the management.
- We carry out a comprehensive risk analysis.
- We assist in the preparation of the rules, security policies and operating procedures that must be part of any ISMS. In other words, we build a custom ISMS and put it into practice together with your company and its in-house legal department.
- We conduct an annual ISMS audit to continuously improve your processes, documents, rules and security policies, adapting to the ongoing evolution of your business.
In our work, we rely on proven and globally established work methodologies or frameworks, such as ITIL (Information Technology Infrastructure Library) and ITSM (Information Technology Service Management).
ITIL and ITSM best practices are our best practices, and through us they become your best practices.