Rhand Leal An Information Security Management System (ISMS) is only as good as its ability to keep up with the requirements of the business and provide adequate protection against the risks the organization is exposed to. To accomplish this, information about the environment must be evaluated constantly, but who will do this? Moreover, where can this information be found?
The truth is that no one in your organization, not even dedicated teams, can do that by themselves. With the use of critical information getting broader and broader (e.g., by the use of teleworking, virtual teams, etc.), IT demands became more complex, and ISMS and security needs along with it. This means that the level of effort required to cover information related to every single security aspect of your organization would make the costs prohibitive. But, you still have to monitor this information. So, how to do it?
Fortunately, ISO 27001 suggests an alternative: contact with special interest groups, control A.6.1.4 of Annex A of the standard.
What are special interest groups?
In a general way, you can define a special interest group as an association of individuals or organizations with interest in, or acting in a specific area of knowledge, where members cooperate / work to solve problems, produce solutions, and develop knowledge. In our case, this area of knowledge would be information security.
The 27001Academy, along with the 9001Academy, 14001Academy, and 20000Academy are examples of special interest groups. Other examples are manufacturers, specialized forums, and professional associations. The government is another example of a special interest group (I will explain why it was mentioned separately a bit later).
How can special interest groups help my organization?
As I presented at the beginning of this post, an organization’s ISMS needs to keep up with business requirements and organizational risks. To cover these issues, the A.6.1.4 control from Annex A suggests the following issues for you to identify a special interest group to help you:
- Best practices adopted by the market: policies, procedures, guidelines, and checklists that you can adapt to your organization’s needs
- Market and security trends related to your industry: laws and regulations, customers’ requirements, suppliers situations your organization has to be aware of or comply with
- News and alerts about threats, vulnerabilities, attacks, and patches: you need these to check your defenses, because it is better to learn from others’ mistakes and misfortunes than your own, isn’t it?
- News related to new technologies and products: what can you use to improve your security, or to achieve the same level with reduced costs and/or effort?
- Specialized consultancy: you may not have the expertise, or time, to make the solution or resolve the problem by yourself, so who can help you?
- Specialized support to handle information security incidents (e.g., other organizations, police, government security agencies, etc.): when you have a problem and need help to resolve it, who can help you?
The government as a special interest group is a unique case, because of its access to additional resources (like police, emergency services, fire fighters, etc.), and, depending on the legal requirements of each country, its involvement is mandatory.
Some of these issues you can identify for free (accessing public content on the Internet, signing up for a regular newsletter, or identifying the person / job title to be in contact with a professional association or state agency), and some you have to pay for (consultant or support services). However, in the latter case it would be recommended to establish contact with potential suppliers through your procurement process (it is always better to have a previous relationship than to call only in an emergency).
What precautions should I take when contacting special interest groups?
Since the information you will be working with could have great impact on your ISMS (over management and/or security controls), you should be careful about which special interest groups you interact with, considering:
- The quality of the information provided: Not all of them have precise or updated information (some only repost news or information from other sources).
- The availability of the information: what is the update frequency of the information? If the source you use takes too much time to update its info, your organization could be exposed to a problem or risk for a longer period.
- The legitimacy of the source: Not all of them are authorized representatives of the one responsible for the information (e.g., manufacturers have specific forums to communicate with their clients or to provide patches). Another case is if security peers recognize the group as a reliable source of information.
In the cases where you have to send or receive information, be sure to verify whether there is an agreement about how the shared information will be protected.
You do not need to do all the work alone
Some people think the implementation of an ISMS is the most complex part of information security management. They could not be more wrong. The effort to keep the ISMS up to date according to the needs of the business and the risk scenario is the real challenge. However, it must not, nor should it be carried by your team alone. Remember, there are many groups that can help you to maintain your system as a valuable tool for your organization.
Click here to download a free template of Questions to ask your ISO 27001/ISO 22301 consultant that will help you evaluate potential consultants.
