The complete guide to implementing information security frameworks in a way that works for your organization
As more and more industries face stricter regulations, it’s becoming increasingly important to establish information security policies in your company. For years, companies have used large amounts of resources putting policies into place that demonstrate they keep their business protected according to ISO standards or NIST frameworks, as new regulations are constantly coming from both the EU and other areas (including GDPR, CCPA, PIPL, etc). With the appearance of more compliance frameworks, industries have been placed under pressure from customers, contractors, and sub-contractors who demand they prove their accountability against multiple standards, resulting in hours of work.
Many of the controls listed in these frameworks and standards are identical, since the initial objectives often overlap – for example, when you formalise a policy on how to adequately implement antivirus in an organisation, you are covering more than one security framework, and since the responsibility of the different frameworks are spread out to different people managing the applicability status in different excel spreadsheets, this often translates into asking the same questions out in the organisation multiple times, with no real overview or value gained.
It can be frustrating to see hours spent with little or limited impact, and it can also feel overwhelming to know where to begin with implementing frameworks, especially where your organisation has had no structured overview before. We’ve created this guide to help you understand the importance and benefits of implementing information security frameworks and provide you with a step-by-step guide to help you get started with them in a manner that will have long-term benefits for your organisation.
Ensuring all stakeholders work within the same data model is vital
The key to saving organisational time on compliance tasks is ensuring all stakeholders work within the same data model. Primarily, the solution used should work for all stakeholders and all frameworks in the same data model, regardless of the blend of legal, financial or IT-security controls that must be covered. Excel spreadsheets are useful for many things, but they are not sufficient to manage the protection of an entire business and its information.
Secondly, organisations need to focus more on how they implement the formalised policies and procedures, including who is responsible for different areas and why, rather than ticking off policy names without realising the true needs and impacts.
Most security standards consist of a long list of policies, that need to be designed, implemented, and checked for effectiveness. Formalising your policies on the high level that these standards are on is a necessary place to start because it guides behaviour and ensures a solid foundation for your security plans.
However, it’s just the first step of the task to map out your intentions on a high level and to different standards. The more important aspect is to put in a place a structure that ensures a long-term overview of the actual implementations of security measures and controls, which are where changes happen in the organisation.
To take an example, the ISO 20071 standard’s article 9.1.1 requires you to establish an access control policy, but it does not provide detail as to how your control tasks and the related procedures should be designed. In many places, the list of control tasks is not available in a central place to help with the overview of the policy status throughout a large company. This is problematic in many ways: you cannot know if you are currently taking the right actions in accordance with your plans and all the requirements, and you have no solid way of showing all the things you do well.
It’s vital to have one central place to list all frameworks and standards, and map each control out to a central list of policies and specific controls that your organisation have chosen to implement, in one way of another.
The act of mapping these elements out will quickly result in a complex spider-web of relations, as implementing just one single control from one security framework can require ten different tasks to be performed on hundreds of systems. Another issue is that many companies do not have a good overview of exactly which frameworks they are currently accountable for. This results in many people working in silos and performing many of the same tasks of ticking off controls in Excel spreadsheets, where tasks could have been completed once and produced a more realistic result if everything was built from a structured and central place.
The following is a step-by-step guide of how to once and for all ensure a solid foundation that provides a structured overview of all frameworks and controls in your company. Through following these steps, you can set up a solid foundation that provides business advantages, saves time, and ensures compliant and correct action.
Step 1: Acquire a mature GRC tool, if you do not already have one
It is not possible to manage a Governance Risk & Control system in Excel – it is simply too complex and there are too many relations to handle for a one-dimensional system be a suitable tool.
The most important thing to look for in a GRC tool is that the same underlying data model can be shared between all stakeholders: business operation managers and personnel, IT system owners, IT security officers, legal counsels, contract managers, and so on.
If you’re looking to invest in a system, be sure to choose one that avoids silos, so you can realise your strategy of building an integrated organisation where all entities are working towards common GRC goals. You should also be sure you choose a system that is framework agnostic, as this ensures that your organisational core (your business processes, systems, contracts, etc.) are at the centre of the solution. As a result, no matter the new regulations or frameworks that come along, you can easily upload the list of requirements and map them to your existing central lists of processing activities, systems, and risks.
Step 2 – List all the regulations and security frameworks that must be complied with by the entire organisation
Listing all the relevant regulations and security frameworks might be easier said than done, since these overviews might be fragmented and spread out across different departments, including procurement, finance, it-security etc. However, putting the time in now does pay off as saved time in the end, when you can begin pulling reports automatically.
Step 3 – Complete the statement of applicability (SoA)
To complete this, the individual responsible for each regulation or framework needs to go through each requirement/control and document whether the specific control applies or not, and therefore whether it should be implemented. If, for instance, other similar controls are prioritised, the compliance office may argue that a certain requirement may not be needed. These arguments should always be recorded, so that they can be included in audit reports later.
Step 4 – List all the generic controls in one central repository
It is crucial to have one single list of controls and security measures that are common for all the stakeholders in the organisation’s GRC management system. Where legal counsels have one list of controls to minimise data breaches related to privacy risks, and information security officers have other lists of almost the same controls to minimise other kinds of data breaches, duplicates are created that make little sense and waste tie.
Make sure you define the overall purpose of each control in an overall policy and, if necessary, describe in detail the underlying procedures relating to how the controls should be implemented in practice. It’s also important to define in detail the criteria for passing and failing the control or security measure.
Step 5 – Map out generic controls to controls in security frameworks
One control or security measure can be listed as best practise in multiple frameworks – for example, antivirus control is listed as best practice in ISO 27001, ISO 277001, ISAE 3000 etc. It comes in handy in the long run to provide yourself with a central overview of which framework controls you are covering by implementing each of your controls.
Step 6 – Implement your controls and security measures
Now you can start implementing your controls in your GRC tool. It should be possible for you to relate your control tasks to specific processes, activities, systems or contracts/third parties depending on which type of control it is, which regulation is relevant, the framework it covers and the risk scenarios or threats that the control is put in place to mitigate.
It is very important to have mapped out all the recipients of the control and have considered if the correct person to perform the task is the formal accountable or responsible of the given activity or system.
If the GRC tool you are using ensures integration between your list of generic controls and your mapped out owners of the organisation, it should be straightforward to create both narrow and large projects that may be recurring on your yearly wheel. The most important thing is that you have a GRC responsible with the full overview of the progress.
Step 7 – Extract reports and monitor progress of the implementation phase
Once the control tasks have been created, you should be able to track and follow the progress in a visual dashboard. Since many recipients and many different processes, activities, systems and contracts may be in play at the same time, it is very effective to have one place to follow all projects that are active or have been finalised during the year.
The steps outlined above should make the process of implementing information security much more straightforward. Although the initial implementation can be time-consuming, having a strong set-up and putting the work in early ensures that your solution will be able to last and easily adapt to new regulations, systems, processes, or anything else which needs to be added. It will also help to break down inter-departmental silos, and ensure that work isn’t unnecessarily duplicated due to a lack of knowledge.
If you’re interested in finding a solution that allows you to implement these frameworks in a user-friendly and intuitive manner, please feel free to reach out to our team who can offer you a free personalised walkthrough of Complyon’s GRC system.