Central government logo, link to homepage
National Cyber Security CentreMinistry of Justice and Security

Getting started with an ISMS

Knowledge articles
Read time:
Frameworks
Intermediate
An ISMS helps you make the right choices, ensure that risks are manageable, and embed information security in everyday practice. This document will tell you why an ISMS is useful and necessary and how to get started. You can do so in an easily accessible manner without having to invest in expensive tools or think about certification immediately.

Constituents
This publication is intended for everyone who is responsible for information security, whether as a director or as the operational manager in your organisation. Particularly in smaller organisations, there is often no formal CISO structure but there is a need for an overview, direction and transparency. This document will help you ask the right questions and take a first step towards a mature approach to information security.

Background

Information security is more than remedying technical vulnerabilities or installing security software. Achieving and maintaining digital resilience requires continuous attention. Setting up an Information Security Management System (ISMS) allows you to keep a grip on information security and offers a structural, process-based approach. 

An ISMS helps you organise organisation security as a continuous improvement process. You can structure your security measures by ensuring that risks and vulnerabilities are measurable and putting them on the agenda within your organisation. This is how an ISMS helps you prevent incidents instead of having to put out fires, and to interact with customers, suppliers and supervisory bodies in a predictable manner. 

A well configured ISMS also supports the continuity of your organisation, particularly in a scarce employment market: knowledge and processes become transferable. Finally, an ISMS can also help you make the right investment decisions and establish the business strategy and/or annual plan for the upcoming period on the basis of the right choices (risks).

Every organisation benefits from setting up an ISMS. At the same time, not every organisation needs to have a complete ISMS. Often, taking smaller steps focusing on your biggest risks or crown jewels can be enough. So an ISMS is not a purpose in and of itself but a tool to tackle information security in a deliberate manner. This is what the law and regulations require and what this publication will help you achieve.  We explain what an ISMS is and how you can take the first simple steps. 

What is an ISMS and what can I do with it?

An ISMS is a method to tackle your information security in a systematic manner. It is therefore not a system in the technical sense of the word, such as a software package or checklist. To the contrary, an ISMS is a continuous process of measurement and assessment. An ISMS helps your organisation create a structured approach for a number of tasks:

  • Allocating ownership for information security.
  • To make risks and measures discussable.
  • Creating clarity with regard to responsibilities, points of contact, and decision-making.
  • Making the approach to information security demonstrable.
  • Creating awareness in the field of information security and business risks.

Without an ISMS, information security often depends on the knowledge of individual employees who made ad-hoc choices. What these choices are based on has not been recorded and the rationale is therefore not reproducible for future decision-making. The result is an unstructured approach without a full overview of the risks and measures throughout the organisation.

The most common standard for an ISMS is the ISO 27001, which revolves around the Plan-Do-Check-Act cycle (PDCA).

  • Plan: establish policy, determine your objectives, and identify risks.
  • Do: implement security measures and processes.
  • Check: monitor and assess the effectiveness of your measures.
  • Act: adapt your measures and processes according to your organisation’s needs.

You can improve your information security continuously in a cyclical process with the aid of these steps. This turns your approach into a repeatable and transferable process that grows with your organisation and is agile if the risk landscape changes. This fosters trust, both within your organisation and in partner, customers and vendors.

Assign ownership of your ISMS to the right person. The right person is the one who has the mandate and budget to make decisions. Let the process of the system’s creation live throughout the organisation. This is how you ensure a successful ISMS. It does not have to be all-encompassing from the first day. Start small and be realistic and adjust step by step based on your organisation’s needs.

What do I need to get started with an ISMS?

The start of an ISMS is not simply a matter of buying software or checking off a checklist. Creating an ISMS starts with a decision: a deliberate choice by the organisation to take a structured approach to information security. This decision must be supported, ideally by the board of upper management. Without strategic support, the ISMS will never move beyond documents in a folder without a real impact on the operational management.

What you need to get started with an ISMS, can be split up into three categories: human, content-related and practical.

Human

An ISMS is not just about systems and procedures; above all, it is about people. Support is vital, since the initiative won’t become a reality without support from the upper echelons of the organisation. After that, the ‘regular’ employees are vital for continuous improvement and following up on measures/controls. It is also important to assign responsibility. Who will take charge within the organisation? A driving force with a mandate makes all the difference. And also: who are your advocates? Examples are not just formal roles like IT and compliance, but also informal influencers who can encourage others to move along with the change. We will discuss who to involve, why and when in one of the next chapters. 

Content-based

An ISMS requires insight into your own organisation. What do you want to protect? How are you working now? What are your vulnerabilities? Without this basic knowledge, you run the risk of taking measures that are not in line with reality. In addition, basic knowledge of risk management and information security principles is necessary to make the right choices. If this is not available in-house, you should consider getting it from an external source. And perhaps the most important thing is to create a realistic plan. Start small, set feasible goals and build on this gradually. The next chapter will help you define an initial scope. 

Practical

There must be space in a practical sense, too. Time, resources and capacity are necessary, but priority is the biggest factor. Without clear urgency, the ISMS will disappear into the background between putting out fires, rush jobs, and ad-hoc decisions. Give the ISMS the place it deserves in the organisation’s planning and, more importantly, in the head of the people who have to realise it.

Step 1 - Study the context of your organisation before getting started.

Every ISMS is unique and must fit the nature, size and culture of your organisation. Having a good understanding of what is really relevant will help you avoid putting your energy into measures that contribute little to your objective: to protect what is valuable.

An ISMS is not a final destination; it is the beginning of a continuous learning and improvement process. But it starts with that first, supported step.

How do I determine the scope of my ISMS?

Start with setting up an ISMS in a clear and simple way. Keep the scope small and realistic at first, this makes it more likely that you will be successful. You can use the lessons you learn in the first round in the step-by-step implementation until everything you need is incorporated into your ISMS.

Make sure you have clear insight into your organisation’s interests to establish the scope of your first steps. Engage with the right stakeholders. Start with the question: which processes, systems or components in my organisations are most important and need protection first, and why? 

Your business model – What assets bring in the money?

Look at your organisation’s primary process. Find out which people do the actual work and what resources they use to do it. Map which information streams support your primary process.

Your customers and suppliers – Where do they expect reliability or compliance?

Look at your business chain. Determine what companies depend on you and on which companies you depend. Examine what expectations your partners have with regard to your reliability. Contracts often contain performance agreements but information security may be implicit. A lack of security can impact your performance, however, and put your agreements at risk. Companies also increasingly have explicit requirements with regard to cybersecurity and expect you to comply with specific standards.

Your crown jewels – Which systems, data or processes must never break down?

With a clear overview of your own organisation and its immediate ecosystem, you will probably find specific information streams that are vital to your business operations. The availability, integrity or confidentiality of that information is incredibly important. These are your crown jewels and you want information security for these assets to be optimised.

Your vulnerabilities – What are your biggest weaknesses? 

Look at the threat landscape. Your organisation’s resilience requires your biggest focus to be on your most vulnerable attack surface. Don’t forget to look at the past, too. Perhaps an earlier incident had a big impact on your organisation? Such incidents often reveal vulnerabilities and important dependencies. Learn from your past by choosing to tackle those vulnerabilities.

Organisations covered by the NIS2 who are constituents of the NCSC receive our periodical threat reports.

Step 2 - Select an important service or clearly defined process to start.

It is tempting to include every dependency within the entire organisation, as it may not seem effective if you only tackle part of your primary process. You should be aware of the scope creep this might lead to, however, because you could lose control of your approach very quickly this way. Should you run into important vulnerabilities along the way but decide to exclude them from your first round, make sure to record these vulnerabilities in a registry so you don’t forget or overlook them later.

Your first round will not immediately result in organisation-wide resilience but will help you gain experience. You will then expand your scope in the next round. Your effectiveness will grow with each round and your overall resilience will improve every time. It is better to have a narrow scope that you can control than too wide a scope that is unmanageable.

Who should you engage, why and when?

An ISMS stands or falls with the engagement of, and collaboration between, different roles within the organisation. Information security is important to the entire organisation but not everyone needs to be involved at the same time. How you tackle it, depends on the scope you defined as well as your organisation’s specific properties. Below, you will find a list of the people you will have to engage with in most cases, when you need to do so, and how you get and keep them on board. 

Management board or team – for mandate, resources and support from the outset

Engage with the management board from the start. Make sure you have enough time in your schedule and explain what an ISMS is and why you need it. Use arguments that are clearly in line with the interests of your board member(s), for instance by emphasising business continuity, compliance and perhaps personal liability on the part of directors under the Cybersecurity Act. Ask for a formal assignment and the appointment of a person with resources and mandate, such as a security professional. You should also make sure that one specific board member is the customer, principal or sponsor of the ISMS.

Relevant process owners – for process knowledge and ownership from the outset

Engage with the team leaders or department managers responsible for the business processes (in scope) as process owners. You need both the insights (what information is vital to the process) and the engagement (collaboration within the relevant department) of process owners. An ISMS gives a process owner more certainty with regard to process continuity and enables them to demonstrate responsibility, reliability and work agreements. If this role is not (yet) allocated within the organisation, call upon the colleagues who are most familiar with the procedure in question.

IT responsibilities – for translation into concrete steps

Engage the IT managers who have insight into the infrastructure, networks and systems, as well as existing security measures. An ISMS offers IT managers (or departments) clarity on responsibilities and present an opportunity to improve alignment with the business. The organisation’s objectives and the business processes required to achieve them must always be the starting point. Encourage IT to participate on the basis of what is necessary for the business processes and not just what is technically (un)feasible.

Security and privacy officers – for knowledge, experience and integration of the existing structure

Of course you will also engage with the colleagues who focus on security and privacy in your organisation. They will know what is already available in terms of analyses and policies in relation to information security and are familiar with the relevant laws and regulations. The ISMS project should use this and make sure to line up with what has already been done. These officers are likely to welcome an ISMS; there will be more support within the organisation for their recommendations. On the other hand, they often have their own ideas with regard to priorities in information security. Make sure that the business processes always remain central to the process.

In addition to engaging with the aforementioned roles, think about the following points: 

  • Talk to informal influencers within your organisation. Who are influential without a formal role? If these colleagues advocate your ISMS ambitions, this may create extra support.
  • Will an external consultant be of use? Someone with a lot of experience may help improve structure or verify your plans. Ensure that there is a clear owner and customer within the organisation.
  • Invest most of your energy in stakeholders with a positive attitude. This is where you will get results most easily. Success motivates people with objections or who lag behind to start moving.
  • Think and talk in terms of the interests of the specific stakeholders you need to be on your side. Keep emphasising these interests.
  • Ensure that people know what is expected of them and why. Using a responsibility or governance model can help.

How do we gain insight into existing measures?

You do not have to build your ISMS from scratch. Most organisations have already implemented security measures even if they have not been formally defined. It is important to start by mapping what is already in place before making new plans.

Start by mapping existing measures, and talk to colleagues in different departments and at different levels. Ask what they do to protect information, what issues they encounter and what arrangements have been made. Record their answers, preferably with a link to concrete processes or systems.

You can also turn to the following resources to complete your overview:

  • Self-assessments or security scans you did in the past
  • Requirements defined in policy documents and procedures. 
  • Search through lists of technical measures
  • Policy documents or work agreements on passwords or bring-your-own-devices.
  • Vendor agreements; do they include security requirements?

To achieve an overview, you can also organise the measures in themes: physical security, network security, access control, logging, awareness, back-up, recovery procedures, etc. 

Please note: This step does not aim to achieve a perfect or all-encompassing overview; it is purely about gaining insight into what is available and what may be missing. This will be your starting point for further improvement.

In conclusion

The answers to the questions in this document will provide a good idea of how your organisation is doing. You can now take your first steps in introducing an ISMS. Do not linger too long on the questions that are difficult to answer; just get started. Some things will be learned along the way.

Start small, with a limited scope and achievable objectives. Engage your colleagues, ensure support from the management and a clear coordinator. Use what is already available, learn from mistakes and make adjustments where necessary. You do not have to do it all by yourself: there are many good examples and tools that can help you.

So an ISMS is not a purpose in and of itself but a tool to organise information security in a process-based and controllable manner. By working on security in a deliberate and structured way, you will reduce risks, prevent incidents, and demonstrate that you are in control

This publication was created with contributions from
This publication was created as part of a partnership between the Digital Trust Center (DTC) and National Cyber Security Centre (NCSC), with contributions from the Netherlands Tax Administration, Stichting Philadelphia Zorg, Pinewood, and Rotterdam The Hague Airport.
 

Form
Did you find this page helpful?