Bright Stove

Reflecting information risk journey

Is ISMS relevant to SME and Non-Profit Organizations?

leave a comment »

I often get asked about the relevance of an Information Security Management System (ISMS), such as the ISO/IEC 27001:2005, to small and medium enterprises (SME) given that such a practice (of ISMS) originated from large organizations that have much more resources to protect and also deal with the problems of securing information. Yesterday, a student extended the question with an interesting twist, asking whether it is also relevant to non-profit organizations. I think this should be a good place to share my thinking about this question (and its extended question).
Based on my experience, the question is not really about the size or nature of the organization, but whether an organization has (1) a need, and (2) recognized that need for information security. If neither is true, an ISMS will be redundant, regardless of size of the organization, for profit or not for profit.
Most organizations today will agree that they have a need for information security, at least for the mere fact that they use the Internet for their business. But the basic consideration should be the "information" that the business has acquired/generated/stored/etc, which should be the key consideration. If there’s no critical information – for example, all information are publicly available – then why be concerned about security? If presence is a concern, then the focus should be on survivability, continuity, and perhaps recoverability, not information security. In most cases, there are elements of information criticality, presence, and trust (since security breaches will diminish public/user confidence), that add up to the need for information security.
A need, however, does not necessarily translate into its recognition and action, as businesses always have other priorities that the owner/management will think are more important than doing something to make sure nothing bad happens. The size and nature of the business normally have significant impact on the priority, so as regulators’ attention in the particular industry. If there’s no law requiring information security practices to be implemented for that industry, normally, the priority is lower.
As for ISMS, Policy, and related standards, I regard them as framework of common practices, or strategy that provides direction and guidance on what to consider, and how to formulate action plans, when the (1) need, and (2) recognition have been achieved. ISMS (for example, ISO/IEC 27001) is as applicable to a non-profit organization as to a for-profit one, and also as applicable to small companies as to large multi-nationals. In fact, smaller ones can use it more effectively, since the intensity of organizational politics will be lower to obstruct such an initiative. The cost of ISMS is not in the practice of ISMS. There’s little cost associated with ISMS implementation. The external consultants are charging a high cost today because the extent of work required is not well known, the demand is low, and few expertise exists. The costly part is the implementation of actual security measures (or controls, in the words of ISO/IEC 27001) as that will involve buying stuff and implementing them. For small companies or non-profit organization, like others, an ISMS framework provides a thinking process to work through the risks that the organization faces in terms of information security, then rationalize how to treat those risks. The risk assessment is likely to end up with only a small scope of protection required given the size of the organization, and therefore, if done right, few security measures will need to be adopted. As such, the cost of security will also be lower. This will still make the company 27001-complaint, since the framework is applied in the risk management process, not how much they have spent in the process.
Lastly, personally, based on what I have experienced working with several non-profit organizations, they are often not poor in terms of financial capacity. If they are poor, they would have been gone. But they have perhaps a much higher benchmark and expectation for accountability, since their money are not from selling goods and services. The challenge they have in most cases is that they don’t have the knowledgeable/skilled people to strategize and execute projects that meet their needs (as an organization.) They have to use people who come forward, regardless of whether those people have the skills/knowledge to be an effective volunteer. If they spend money hiring skilled staff or external consultants, they have to justify a lot more to be accountable. These days, such spending are becoming even more sensitive, and therefore will invite more scrutiny. Therefore, their need for information security, and recognition for information security will be much harder to come by. It is easy to place the blame on standards, size, and nature of organization though. Peter Drucker’s book on Managing Non-Profit Organizations talks about the challenges and things to do from a management perspective. This is a good reading for more insight as well. 

Written by mengchow

February 18, 2007 at 4:40 am

Posted in Security Standards

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: