Who is really responsible for the Information Security Management System (ISMS)?

A Common Problem

We often find organisations where the Information Security team believe the next external audit could mean the demise of the ISMS. They know that the necessary stipulations have not been fulfilled during the last 12 months or longer. They also know that this is likely to be due to disjointedness within the organisation, and ultimately, a lack of clear leadership. They have struggled to persuade colleagues to comply with the requirements of the ISMS. They see the Certifying Authority threat of discontinued ISO certification from the as the only way to change attitudes, especially at the top of the organisation.

The International Organization for Standardization (ISO) suggests that in some businesses “leadership from the business owner” ¹  is required. However, this is slightly confused in vocabulary standards such as ISO 9000 and ISO/IEC 27000, where the following language is used: “If the scope of the management system covers only part of an organization, then top management refers to those who direct and control that part of the organization” . ²

Many organisations prefer to start on the ISMS journey by limiting the scope to the organisation’s Information Technology / Information Management. Taking such a literal approach from the guidance, however, can lead to a scenario where business owners (CEOs / MDs) believe they are absolved of their responsibility for the ISMS as they come to believe the management system is in safe hands under IT/IM management.

There is a simple test in this scenario to establish if the ISMS is in the right hands. Imagine the IT Director approves a technical process that involves taking down operational systems during normal business hours. If there is somebody else in the organisation who can overrule the IT Director and prevent the process from taking place, then the ISMS is in the wrong hands.

This scenario is likely to lead to further undesirable consequences:

  • The IT Director’s information security leadership will be brought into question and may even be considered weak;
  • The external auditor will record their concerns around leadership as part of the audit, and will likely instigate further investigations;
  • Any negligence in the area of leadership would normally be reported as a Major Non-conformity as it represents a major stipulation within the Standard.

A Better Approach

We recommend establishing board-level ‘accountability’ for the ISMS. ‘Responsibility’ for its management may be delegated, but accountability must rest with those at the top of the organisation.

Most ISO management systems (certainly all those which follow Annex SL; 9001, 14001 and 27001) have a stipulation for Management Reviews. We recommend that Management Review meetings are held regularly (e.g. twice a year) and include board-level representation. They will be in the best position to report on any changes in external and internal strategic matters that could be relevant to the ISMS. They will need to be made aware of, and perhaps could report in to the meeting any feedback on, the organisation’s information security performance. They will need to be informed of information security nonconformities and the results from monitoring, measurement and audit activities. They may know why the nonconformities have come about, or they may be in the best position to propose the most effective corrective actions.

Policy for the ISMS needs to be written (signed off) by the head of the business in full knowledge of the requirements of the business, but with observance of all information security risks and mitigation options. The CEO/MD will be forgiven for not being the most IT-aware member of the business, but this doesn’t mean they cannot be counselled, where necessary, by the organisation’s IT experts. Contrary to popular belief the ISMS is not all about IT, it’s about leadership with an information security flavour.

In conclusion, the ISMS should be overseen by organisational leadership who know the organisation’s strategy, are aware (or can be made aware by their experts) of the ever-changing risks to the ISMS and the risk mitigation options, and should be the ones setting policy, based on the strategy, in balance of those risks.

How Regency Can Help

Regency ISO/IEC 27001 Lead Auditor consultants have a long track record in helping customers meet and maintain ISO/IEC 27001 requirements both in the UK and abroad. From initial assessment, through designing a pragmatic and effective ISMS, to audit support and ISMS maintenance, we provide a low-risk approach to achieving and maintaining ISO/IEC 27001 certification.

We won’t leave you with a library of standard templates that need experts to decipher. We will be with you every step of the way, including during your Certification Audit, confirming our support meets with the expectations of the Certifying Authority. We’ll be there to get you over the initial line but will be on hand for guidance, if you need us, in the months and years to follow as your ISMS matures.

If you would like to explore how Regency can help your organisation, please contact us on our office number 01242 225699 or email enquiries@regencyitc.co.uk

¹ Source: https://www.iso.org/management-system-standards.html
² Source: ISO/IEC 27000:2018

Regency ISO27001 Certified Again

We are again extremely pleased to announce that, as of 12th April 2018, Regency IT Consulting maintained its ISO/IEC 27001:2013 certification for another year. Continue reading “Regency ISO27001 Certified Again”

Seven consecutive years Regency maintains ISO27001 certification

We are again extremely pleased to announce that, as of 21st March 2017, Regency IT Consulting maintained its ISO27001:2013 certification for another year. Continue reading “Seven consecutive years Regency maintains ISO27001 certification”

Regency Appoints New Data Protection Officer

Regency IT Consulting is pleased to announce the appointment of one of our security consultants, Shelagh Griffith, to the additional role of company Data Protection Officer (DPO).  Continue reading “Regency Appoints New Data Protection Officer”


Proving Regency’s continued commitment to the CESG Certified Professional (CCP) scheme, Chris Crowther, Regency’s Head of Security Practice, has achieved Lead Practitioner certification in the Security & Information Risk Advisor (SIRA) role. Continue reading “REGENCY HEAD OF SECURITY PRACTICE ACHIEVES CERTIFICATION AS LEAD CESG CERTIFIED PROFESSIONAL”

Why do information security compliance campaigns sometimes fail?

As an organisation with British Standards Institute (BSI) recognition for the way we manage our certified ISO/IEC 27001:2013 Information Security Management System (ISMS) as proven by our selection as a Platinum Member in their Associate Consultant Programme (ACP), together with the appreciation shown by our clients having helped them on their way to certification, we are confident about our expertise of “the Standard”. Continue reading “Why do information security compliance campaigns sometimes fail?”

Regency expands its information assurance qualifications

We are proud to announce that William Wardrope has been successfully Certified in Risk and Information Systems Controls (CRISC) via the ISACA Examination Body. CRISC is an international certification and has a fearsome reputation throughout the security consultancy community for its tough exam. William adds his CRISC certification to his ISACA Certified Information Security Manager (CISM) certificate. Continue reading “Regency expands its information assurance qualifications”

The cyber security message at the top: what the C-suite need to know

I’ve been hard at work over recent months designing an awareness course on the basics of information security which is aimed at the C-Suite, the senior executives of an organisation. The idea is to give them a high-level introduction to the concepts around cyber security and also to make them aware of their responsibilities as set out in a variety of legislative and regulatory provisions. Regency IT Consulting, in conjunction with the Bristol Management Centre, will make this course available shortly.

Interestingly, when I’ve mentioned to contacts in other organisations (public and private) that I’m designing a course aimed at the C-Suite, the response has been overwhelmingly positive. Information security professionals seem to experience a common problem in trying to get the senior management of their organisation to take cyber security seriously. There’s a tendency to think that cyber security is the IT Director’s responsibility whilst the board gets on with more “important” things like financial matters. Anything which alerts senior management to their own cyber security risks is seen as positive and possibly long overdue.

The TalkTalk incident in October 2015 should have been a wake-up call for chief executives wary of finding themselves in its CEO’s shoes;  having to deal with a major security breach in the full glare of publicity with limited knowledge of what went wrong or why. There were also major financial consequences; within three months of the breach being identified, TalkTalk had lost around 250,000 customers. Their share of new customers in the home services market fell by 4.4% compared to the quarter before the breach occurred and these potential customers went to other companies such as BT, who increased their market share as a result. *Additionally, in the weeks following the attack, TalkTalk shares plummeted by 20%. Seven months after the breach, it was announced that their annual profits for 2015 had fallen by around 50% compared to the previous year.

This week the Culture, Media and Sport Parliamentary Select Committee gave their view on cyber security after conducting an inquiry into data breaches and cyber security, prompted by the TalkTalk incident. Their view is that chief executives should take the lead in crisis response when a security breach occurs; they also recommended that a CEO’s financial remuneration should be directly linked to the effectiveness of the organisation’s cyber security.  Additionally, the Committee is recommending that organisations that hold large quantities of personal data should report annually to the ICO on a number of measures, including staff cyber awareness training, the auditing of security processes, whether they have an incident management plan, the number of attacks on their systems, of which they are aware, and whether there were any personal data breaches. The Committee expressed the view that “Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened….. Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place.”

So, the C-suite should take counsel with their IT and security professionals to confirm that it’s not just the Regency opinion that they need to brush up on their cyber knowledge and get more involved with addressing information risk within their business by supporting those who manage such risk on a day-to-day basis and by providing adequate resources to enable them to do so. Failure to engage properly in cyber security is likely to cost CEOs dearly at a personal level as well as in relation to their business.

How Regency can help your business

Faced with increasing numbers of cyber attacks, together with the ever present danger of accidental data breaches, you may be looking to review your business’s management of information security. At Regency we are committed to working with our clients to identify and minimise the risks to their information, providing advice on how to deploy practical and cost-effective security measures. We can advise on achieving Cyber Essentials or ISO27001 certification or simply on improving your organisation’s security situation. We can also assist in raising awareness of cyber security issues at all levels of your organisation, whether via our Bristol Management Centre-endorsed course, or on a tailored consultancy basis. Our consultants have wide-ranging experience of a variety of business sectors.

If you would like to discuss your requirements, why not give us a call on 01242 225699 or drop us an email through this link.

* From Kantar Wordpanel (reported http://www.ibtimes.co.uk/talktalk-hack-after-effect-about-250000-customers-deserted-company-1539648

Shelagh Griffith

Security Consultant

Regency Security Consultant Awarded Data Protection Certificate

Proving Regency’s continued commitment to the development of its services and its staff, a member of our Security Consultancy Team, Shelagh Griffith, recently passed the British Computer Society ISEB Certificate in Data Protection. Continue reading “Regency Security Consultant Awarded Data Protection Certificate”

Floppy Disks in 2016 – Who’d Have Thought It?

A recent article on the BBC news website highlighted the fact that the United States Nuclear Force still uses a 1970’s era IBM system for command and control of its intercontinental ballistic missiles, nuclear bombers and tanker support aircraft and relies on 8-inch floppy disks for its continued operation.

A spokesperson for the US Nuclear Force was quoted as saying “This system remains in use because, in short, it still works.” Continue reading “Floppy Disks in 2016 – Who’d Have Thought It?”

Regency Security Consultant Achieves Certification as Senior CESG Professional

Proving Regency’s continued commitment to the CESG Certified Professional (CCP) scheme, a member of our Security Consultancy team, Stephen Bottomley, this week achieved Senior Practitioner certification in the Security & Information Risk Advisor (SIRA) role. Additionally, Stephen also achieved Practitioner certification in the IA Auditor role.

Stephen’s achievement reinforces the Regency statement that we are continuously looking to enhance our capability in the Cyber Security and Information Assurance space.