Creating an SMSI is simple. if you know how | by Vicente Aceituno Canal | The CISO’s lair | July 2023

esteria.white

if you know how

photo by Ryan Fields on Unsplash

Most IT professionals quickly become confused when faced with the need to create an ISMS. The company wants to be certified, so what should it do?

I think part of the confusion comes from the marriage of ISMS and certification in the minds of professionals and in the associated tools and services on the market. The fact is that you cannot get certified without SMSI, but you can very well have SMSI without being certified. This is important because it removes the mental barriers to start creating the ISMS. There are useful and simple things we can and should do when creating the ISMS that are not certification requirements.

Then you have the services that promise to deliver the certification, I won’t name names but you can easily find them by searching for ISO27001 certification services online. They have advantages and disadvantages. A significant advantage is that they have fictitious policies and procedures that can save you from writing, and a significant disadvantage is that you can easily create a parallel reality ISMS that has nothing to do with your company’s practices . Other disadvantages are that your ISMS becomes an additional subscription that the company must pay annually, that there is an additional application to maintain in the Online Application Zoo and that ISMS documents are kept separately from the rest of the documents of the company. If you don’t have experience writing policies and procedures, or at least access to sample policies and procedures, you may have no choice but to obtain one of these services.

Suppose you want to create an ISMS and possibly have it certified, how do you go about it?

You must first document what you are doing NOW. ISMS follows a simple quality management principle: say what you do, do what you say. Create policies and procedures that reflect the current reality of what you do in the following areas, if you do anything:

  • Malware Protection
  • Backup and business continuity
  • Identity management
  • Security incident management
  • Security Monitoring
  • Asset Management
  • Transfer of assets
Leave a comment