JustProtect Cybersecurity Blog

    Why a company like yours doesn't need a fully formalized ISMS.

    Jul 7, 2021 1:21:01 PM / by Bryan "SOC" Urias

    An Information Security Management System (ISMS) is simply a framework for information security practices within your organization. You may immediately jump to think about a full set of policies and procedures, several stacks of network appliances, certifications, and an endless number of hoops to jump through.

    The good news is that you don’t have to start there, the most important step is not the first step or the last step. It’s the next step. You can simply begin using risk-based strategies to build your ISMS one layer at a time.
    Whether you’re just starting your company, or you’ve been in business for a few years you can start lean and work on your ISMS with stage appropriate controls. Often, companies feel as though they need to start with a solution rather than a problem.

    A fully formalized ISMS takes a lot of time, money, and effort to develop. In contrast, you can begin working on a stage-appropriate ISMS with our platform. Stage appropriateness is especially important as it makes long-term growth more sustainable and allows a company to focus on things like an ISMS and continued improvement.

    To help you understand and clarify the data collected, we at JustProtect provide instant dashboards and analytics once the assessment is complete. Dashboards allow you, the risk assessor, to have an immediate clear picture of the risk landscape. By building your ISMS at an appropriate pace, you prevent the company from over-committing to controls that you might not be able to uphold or monitor.

    If not considered, you may be placing your organization in a position where you cannot deliver on the promised controls, leading to an unintentional increase in operational and compliance risk. We help companies assess their current controls to understand their security posture through industry frameworks and regulations.

    A common misconception with smaller companies that attempt large certifications and reports like ISO 27001, HITRUST, and SOC 2 is that the certifications are complex and tedious. These certifications and reports are structured to cover certain sets of controls that may achieve a specific goal. The organizations that work through the requirements must understand that a 1,500-person organization strives to check the same boxes as a 15-person organization. The 1,500-person organization may already have 90% of the required controls in place as it has grown and matured, whereas the 15-person organization trying to get the same certification may only have 20% of the controls in place.

    With our platform, you can begin assessing your third parties to understand the risk in your supply chain, your own company, and any sub-units to understand internal risk. Send the assessment and receive the answers directly once the recipient is done. We simplify and accelerate the process of assessing so that you do not have to worry about the logistics.

    Leave us a comment or reach out to us if you want to take the first step in understanding your management systems. If you liked what you read here, follow our blog for other practical content. 

    Tags: cybersecurity, Strategy, dashboards, Security


    Written by Bryan "SOC" Urias