On 28th March, ENCS held the first workshop for the member project on information security management. Brad Prent led the workshop, which brought together members to share experiences and learn alternative ideas for setting up an effective Information Security Management System (ISMS).
The first workshop focused on the initial phases for establishing an ISMS, namely:
The scoping phase determines where to start with the ISMS and what its scope should cover. Between member experiences, the participants tried to identify a common scope that can be used by all members.
The planning phase concentrates on turning existing controls and policies into an integrated ISMS. The key to a successful ISMS is being able to understand Security cannot operate in isolation. ISO 27001 controls require the support of processes not operated by security teams. HR, Legal, IT, Procurement, service providers and top management all have a key role in the ISMS. The planning phase addresses this difficult topic, to spread ISMS awareness and understanding the importance of non-security roles to the ability to secure the grid.
The building phase begins with understanding the risks faced by members and what additional controls are required to bring the risks to the grid within acceptable limits. Risk methodologies, treatment plans and the implementation of the ISMS Policy will determine the success of the ISMS. The key to an effective ISMS is the correct selection, application and weighting of controls that can mitigate risks without affecting the ability to operate critical infrastructure.
The next workshop will be held on 21 and 22 May in Porto. It will focus on the final phase of establishing an ISMS, the Run phase.
For more information about this project and the upcoming second workshop, contact firstname.lastname@example.org