Information security management systems called ISMS like ISO 27001 are well-known within the IT community. However, even though it is a well-known system, there are still a lot of things about it that misunderstood. Here are many of the more common misconceptions about the system used to protect your information and the information of the company.

Many people believe that there is a requirement for things to happen, when in fact there is no requirement. An example of this is changing passwords. People say over and over that the system requires you to change your passwords every three months. This is almost always not the case. It is certainly a good idea to change your passwords and is considered an industry wide “best practice”, but rarely is this required by the information security system. Typically the people who repeat this item are those that are just going by what someone told them. They very rarely have actually read the specs of the system. Another common misconception around information security systems is that it only involves the IT department. This is a favorite of business unit department managers, usually because they do not want to deal with information security. However, the fact is that while information security does involve IT issues, it also deals with human resource management and various organizational issues.

When companies talk about starting to implement a new information security system, they sometimes believe that the entire process will be completed in just a few months. This is a huge under estimation of what needs to happen. You cannot just jump into the information security system that quickly or you will end up with a bunch of policies and procedures that do not really make very much sense. You have to review all of the anticipated changes and decide if each one really makes sense to implement. A risk assessment needs to be conducted before anything is implemented and this is not something that can be done quickly.

It is important that you focus on documentation when implementing an information security system, but many people believe that the documentation process it the biggest part of the system. This is not the case. The focus of the information security system is to make sure that you conduct your work activities in a way that secures your information. The documentation is just there to help make sure you do it.

The most common thing that is misunderstood about information security systems is that the main purpose of it is to just say that you have it. It allows companies to make the legitimate claim that they have an information security system in place to safeguard all of their information. In fact, it has been stated that almost 80% of companies think this way. However, if companies took their information security more seriously, things like WikiLeaks would not happen. The fact is that if your information security program works, you may never know it. However, if it fails, the whole world would know. It makes sense to take this seriously.

Author Bio: Ellie Lewis recently searched the term ISO 27001 online while conducting research for an article. She searched the term ISMS online to learn more about it.

Category: Internet
Keywords: ISO 27001,ISMS