Table of Contents
- Summary
- Case Study Background
- A Workshop-led Approach
- Business Impact
- Retrospective
- About GigaOm
- Copyright
1. Summary
Many organizations find themselves having to address the information security demands of their clients in addition to government regulators. Losing bids for financial contracts due to a lack of security can have devastating consequences and compound the risks of a breach which can include penalties for non-compliance, harm to brand reputation, and economic damage from liability litigation.
In this business technology impact report, we review a leading organization’s effort to determine which regulatory framework to adopt and map to business results. We will refer to this company by a fictional name – Fides Ltd. They had started an internal initiative on certification but were getting caught up with details, overly burdensome policy, and procedure documentation. Only after a series of consultations and two workshops with a third-party, did they understand the positive, real-world benefits that a pragmatic security program could bring. Not just internally, but also to the client-deliverable work and bottom-line profits.
Key outcomes from the workshop and consultancy work were:
- Internal efforts at accomplishing information security certification can potentially hinder business efforts if not launched correctly.
- Security initiatives require senior-level support to succeed.
- Understanding the culture, goals, and values of an organization is equally important to an information security initiative’s success as it ensures senior-level support and understanding, sufficient funding, and aligns the security initiatives to the business.
- Assigning clear metrics to the broader information security program ensures implementation will be effective and successful.
- Senior management must have an evident understanding of measuring and treating information security risks to ensure they understand the principles the certification program is operating under.
As a result, Fides was able to implement the ANSI ISO 27001:2013 standard across the organization. In this report we look at the steps involved, and the key lessons learned in how to select and adopt a security standards framework.