Hello World! 🌏¶
So, recently, no scratch that, for a while I’ve been considering implementing an information security management system (ISMS) at home. People have asked why, and the answer comes down to one of two reasons:
It sounds like fun; and,
We run the infrastructure of a small to medium business and it makes sense to have something to make sure we are following best practise.
Of course, though, I have the luxury of looking at things through a pure information technology lens. After all, I have no personally identifiable information (PII) to protect, products to manage, or governors to report to, my budget is whatever I’m willing to spend and my biggest problem is procrastination, my steering committee it my cat Lyla and the main question the change advisory board has is “when do I want to stream things?”.
Do I have things easy? Absolutely, but if you know me, it means this project is going to be nothing but.
Considering my budget is whatever I’m willing to spend, which is very little – gotta support that plant habit somehow – I decided to deploy the community edition of Eramba an open source Governance, Risk and Compliance solution. This version gets (hopefully) one update per year.
They also have an enterprise edition available for 2500 Euro per year, which at the time of writing is about $4,124.10 and that gets an update roughly every month.
You can find out more on their site, but I’ve had this application deployed for less than 24 hours so we’ll see how well it goes. Until then deployment was easy as I handed it over to our sys admin who sorted out all my ESXi compatibility issues and got it deployed.
So what are my next steps, I have the software, I have the standards and so it’s time to begin working through the mandatory clauses 4 – 10!
Over the next week I’ll be looking specifically at clause 4, context of the organisation, this will involve me:
4.1 - Understanding internal and external factors that might affect the ISMS and the outcomes I hope to achieve - this will help me work out the purpose of the ISMS, work out how to manage it, and allocate resources.
More importantly to this point and the other parts of this clause it will help me define a scope and therefore what controls from Annex A are needed… and I feel like this is where people get tripped up when rolling out ISO27001, at least, this is where I feel it is after having spoken to a lot of people who have had to interact with or work within the constraints of an ISMS.
Basically, it comes down to a lack of understanding about risk and when we talk about security and risk it tends to be in a, dare I say it, cyber context rather than an information context and so IT is seen as the driver rather than literally every other part of the business. So you end up with these ill-fitting governance programs because they are driven by IT and/or security which makes people see governance as a business drag rather than enabler, but I digress. Clause 4 other activities:
4.2 - Understanding the needs and expectations of interested parties which basically boils down to, where possible am I practicing what I preach;
4.3 - Determining the scope – which is in reality going to be most of our systems, however, one of the things I want to investigate is, if there is an approachable way to focusing on particular areas first and increasing the scope in iterations. For this purpose I’ve broken things down into particular business units i.e. engineering, radio, WinTel etc. This is still a bit of a work in progress as I try and workout how to slice up all the different areas a house of tech people covers;
4.4 – Determine what our ISMS looks like because it’s not a one-size fits all problem.
To be frank, as I typed all of this out, I wondered to myself “why bother” you probably have most of the answers to these questions, but I feel like that’s the key problem without proper consideration, I’ll create more work for myself and develop a system that doesn’t work for me.
My next steps over the following week:
Determine my needs and expectations of interested parties (4.2)
Review the purpose, vision, and mission with reference to interested parties (4.1)
Conduct a Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis (4.1).
Sketch out my ISMS and document as I go along (4.4).
Determine the scope of the ISMS (4.3).
Information Security Management System: a structured and systematic approach to managing company information.
Personally Identifiable Information: Any data that could potentially be used to identify a particular person. Examples include a full name, driver’s license number, bank account number, passport number, and email address.
Steering Committee: A committee that decides on the priorities or order of business of an organisation and manages the general course of its operations.
Change Advisory Board: Delivers support to a change-management team by advising on requested changes, assisting in the assessment and prioritisation of changes.
ESXi: Hypervisor developed by VMware for deploying and serving virtual computers.