Increasing competence - the key to a robust ISMS

Individuals are increasingly the critical entry point for and defence against information leaks cybercrime. Employee training and awareness is essential, but is it enough? In protecting itself, customers and suppliers against attacks, companies implementing an information security management system reap considerable benefits.

With a few exceptions, staff are selected for employment based upon their ability to perform their role within the organisation. Some have technical skill sets unique to the core product or service while others have skills and abilities fitting support functions, for example.

Regardless of their role within the company, it is a fair bet that the majority will have had no formal training in dealing with information, data and security risks and management.

Consistently protecting information, data and systems against determined cyberattacks is a huge challenge for companies. Unlike the General Data Protection Regulation (GDPR) established to protect personal data, information, data and cyber security management is generally a voluntary action – albeit increasingly an urgent commercial and business continuity necessity.

Human error the main source of risk

A recent survey by DNV dealing with privacy information management highlighted that companies mainly indicated human error as the main source of risk (44.5%) followed by lack of awareness among employees or poor organisational culture (27.7%). Moreover, investments are shifting from having been technology intensive to increased emphasis on staff training and awareness. A similar situation is seen with regard to information, data and cyber security management.

When human error and lack of awareness are considered major risks, it often means that effective culture building has not taken place. This could easily be mitigated by implementing a formal management system assurance model. Every organisation will experience transitory resources due to attrition and hiring of new resources, for example. This requires training of new hires or awareness refresh of existing staff at regular intervals. It can be elearning, smaller training pills or more extensive training for all personnel involved in data management.

IT security investments continue to be essential; however, as individuals increasingly become a potential weak point, they must be central in any information security approach.

Systems drive a reliable approach

To ensure that all employees are trained at all times in ways that protect the organization, while not distracting from everyday tasks, requires structure.  This need is best met through a management system model based on the best practice captured in the international information security management system standard ISO/IEC 27001. It sets forth specific requirements on regular training and awareness to ensure a consistent level throughout the organization. This leads to increased engagement and empowers employees to think in terms of “information security”, helping them to better manage “uncertainty” related to risks or threats.  Experience demonstrates the that implementing a management system model helps an organization to build and improve a security culture.

In addition to general employee training, there are other aspects that come into play. The presence of internal subject matter experts, properly trained, who are the focal point related to request or doubts among personnel are essential. It is also important for senior managers to demonstrate commitment and show that everyone is expected to follow the same rules. Otherwise, employees may begin to question why they are expected to be vigilant and to follow procedures when the organisation leaders are exempt. 

With the business cost of information, data and cyberattacks rising, investment in training is something that few organisations can afford to ignore. Investing in increasing competence is always a constructive approach and the benefits to be had are considerable. Pairing this with implementation of an ISO/IEC 27001 certified information management system provides for an even more robust, resilient and reliable approach.