Prepare the company for the implementation of an ISMS
To ensure that the introduction of an information security management system (ISMS) does not stand in the way, this should be defined and commissioned in advance by the management. Likewise, resources (time and financial) should be defined and released.
Furthermore, it is of great importance to communicate the importance of information security in the company and to explain to employees, management members and all other relevant persons why information security should be implemented or improved in the company. Only when the understanding and thus also the advantages are known can the ISMS be lived, which then also makes it work.
The organisation of information security requires the assignment to different persons and roles, so that the implementation and later maintenance works well. The most important points here include:
- Support from top management should be in place
- Responsibilities and organisational roles should be defined
- Authority, time and financial resources should be allocated.
An information security officer (ISO/ISB) is indispensable. Although this person can also be hired externally, it is recommended that an employee from within the company takes on this role, as this person knows the company and is familiar with it. We offer you the template “Appointment of Information Security Officer“, with which the ISO/ISB can be appointed.
Information Security policy
The IS-policy is the central document to record the goals to be achieved and the company’s information security philosophy. It also defines responsibilities and explains why information security should be implemented. The guideline must also clearly define the importance of information security and demonstrate management support. In the best case scenario, it should also describe the sanctions that will follow if measures and rules of conduct are violated.