Risks on ISMS Implementation |Information Security & Risk Assessment Blog

Objective:
It is always a good practice to identify the risks involved in any implementation process. This is pertaining to the ISMS implementation and I have highlighted 6 points that is critical to this subject. These are based out of my experience and if there is anything more, please feel free to share it with the community.

Risks:
Management Commitment — Management has one of the key roles in the implementation of ISMS practices. The management should have the thirst, drive and understanding for the requirement of ISMS practices in the organization.

Availability of Internal Resources — This is a very common problem that everyone faces. We will require the participation of other team members, right from the initial phase until implementation is completed and further to practice the implementation. To address certain areas like, asset inventory, risk assessment etc, it will difficult to get some of the resources, since they will also be busy with their routine tasks.

Asset Inventory — There are two risks to this phase.

Identifying and recording all the assets from all the departments. It is sometimes not possible to sit with each and every team and help them in identifying their assets. So the common practice is to have a workshop with one of the members from those teams and then request to identify the assets in their department. So the information that comes back from the team members are the ones they have identified and most times you can have surprises.
The implementation project in an organization with 500 – 1000 employees would take a minimum of 6 to 8 months. During this period there will chances that new assets are added to the infrastructure and you go unnoticed. So keep you eye open to see and understand, if there any proof of concept (POC) going on for any products or anything budgeted for the current year.

Hiding non-existence of Controls — While you are carrying out your control assessment, it is quite obvious that the nominated persons to assist you in taking you through the exisiting controls might hide certain weak areas or areas where there are absolutely no controls. This is very often done cause the nominated persons do not completly understand the meaning of a control assessment and mistake it for an audit and fear of you reporting non-conformities to the senior management. If this is not been communicated properly, make sure that you take about 5 minutes before you start of with your control assessment exercise to brief the person assisting you on the impact. If you fail to identify the areas where there is no control, this would impact your risk assessment exercise.

Manpower/Budget — During the implementation phase there will be controls recommended which can be both technical and non-technical. At times it has been seen that there will be lack of man power or lack of expertise for implementation of these controls or the organization would not be ready with the budget required for the purchase of these products. So watch out for these risks and have a buffer of both in place.

User Awareness — There are numerous workarounds for other implementations, tell me one workaround for lack on awareness in the organization…??? I don’t see any and would certainly consider this as one of the critical risks to the organization. Even before you think of implementing ISMS practices, collect the required information and start training the employees on regular intervals. At a later stage if you decide not to implement ISMS, you still do not loose anything.

This entry was posted on Wednesday, April 4th, 2007 and is filed under Information Security. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

M	T	W	T	F	S	S
				Jul »
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30

InfoSecMinds

For like-minded people

Risks on ISMS Implementation

No comments yet.

Recent Posts

Blogroll

Who's Online

Tags

Admin