Answer: Regardless of the industry, the first step is to obtain management support for information security initiatives, because without this you won't have the minimal resources and engagement to implement the required controls. Second, you have to establish a systematic approach for the implementation, because you have to coordinate several people to perform dozens of activities, and without a methodology you will finish inside a huge mess with no security at all. Finally, the start of your journey has to define what you will protect and what you will not, i.e. the information security scope, so you can focus on what really matters.
2. Once the initial Risk Assessment is done, what approach would you recommend to continue?
Answer: Once Risk Assessment is done, and you have your relevant risks prioritized, you have to define how risks are to be treated. The most common alternatives are mitigate the risk, transfer the risk, avoid the risk, and accept the risk. After risk treatment definition you have to define which security controls you have to implement (e.g., backup to mitigate a data loss risk, outsource processes for which you do not have the proper expertise to run them, stop a process or activity to avoid a risk, or simply do nothing and accept the impacts of the risk in case it occurs). The treatment selection will depend on your available resources, time to implement and tolerance to risk.
3. Which key documents do you suggest a company should publish in initial stages of InfoSec process ? One of the challenges that I have is writing procedures/policies. It might sound ridiculous, but coming from a Technical background, I always had issues with the legalese writing and putting processes things in writing. I often requested about purchasing the template kit from Advisera, but never got around to having an approval for funding. Instead I have to scrape around various models and try to make use of the many university templates around the web. But the fact that the processes are vastly different with my situation remains a challenge.
Answer: Not considering ISO 27001, the minimal documents and records you should consider to start an information security process would be:
- Scope of the information security
- Information security policy and objectives
- Risk assessment and risk treatment methodology
- Risk treatment plan
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Acceptable use of assets
- Access control policy
- Incident management procedure
- Monitoring and measurement results
- Results of corrective actions
With these you can ensure a PDCA cycle is established and that the minimal (really minimal) information security process is in place and will be kept relevant to the business. I didn't mention other polices and controls because this will depend on the results of risk assessment.
Regarding documents elaboration, trying to put together a document from pieces of other documents in fact is not a good approach for at least two reasons:
- If you do not have the proper information security expertise, probably some gaps will be left on your documentation, compromising your security efforts.
- Creating such documents takes time, and if you are not paying for them directly, the working hours involved in this activity probably will cost more then buying templates with general parts already ready for use, leaving behind only to include the details of your organization. In our experience, documents elaboration takes from 4 to 16h to be developed (depending upon their complexity).