An Information Security Management System (ISMS) takes a systematic approach to securing the confidentiality, integrity and availability of corporate information assets. Information security is achieved by implementing a system of appropriate management controls consisting of principles, rules, processes, procedures, organizational structures, as well as software and hardware functions.
In this blog post, we will explore what ISMS means in practice, how to build an effective information security management system, and why it is critical in modern business.
Granite has been an ISO 27001-certified company since 2021. Our own product, the Granite tools, have played a major role in ensuring the compliance of Granite’s own operations.
Compliance as a Driving Force
Before becoming ISO 27001 certified, Granite conducted client-specific audits to verify compliance with information security requirements, as well as external audits for the technical product. Granite’s customer base has long included government and public sector entities, and as a service provider, Granite has had to demonstrate a certain level of information security. The audits were primarily conducted according to the Katakri criteria, and the feedback from these audits eventually led to an internal discussion at Granite on whether compliance verification could be streamlined. Granite was already close to meeting the requirements of the ISO 27001 standard, and certification would provide a reliable and consistent framework for publicly demonstrating compliance with information security requirements. Additionally, ISO 27001 certification would reduce the internal work and the need for client involvement in separate audits, while so called point audits could still be used to assess smaller areas potentially outside the standard’s criteria.
The initial ISO 27001 audit was undertaken with the goal of identifying any shortcomings and areas for improvement without making major prior changes to existing information security practices. Pleasantly surprising, the initial audit revealed no major non-conformities, nor did the 2023 annual audit reveal any minor non-conformities. This indicated that the foundation was already strong, and the identified areas for improvement from the initial audit were addressed over a few years, which also included self-identified improvements beyond basic maintenance under the new certification. The latest audit, a re-certification audit, was completed in July 2024 using the updated 2022 criteria.
Why Implement a Robust ISMS?
At Granite, information security management is driven by the ISO 27001 standard, but even if a company is not ISO-certified, the role of achieving a high level of information security cannot be overstated as a foundation for business operations. Various information security breaches and data leaks, including those affecting companies and municipal entities, have shown that systematic documentation and implementation of information security practices provide a stronger basis against potential threats. Systematic management of security documentation, regular employee training, clear operating procedures, and comprehensive continuity plans, along with pre-identified risks and control measures, also aid in recovering from potential disruptions.
Granite's Toolbox as a Management System
Internal reporting and management of information security incidents, and identification of security risks have been carried out using Granite’s own tools for some time. In recent years, our toolset has expanded with new compliance tools, and currently internal tools are in place for managing audits, continuity, and vulnerabilities, as well as dedicated tools for ISO 27001 requirements and controls, and NIS2 Directive requirements. Documentation management tools have also become an important part of the ISMS, allowing centralized storage of documents related to the ISMS, approvals, and updates. Only documentation specifically related to the technical product or infrastructure, which is not directly connected to information security, is maintained outside of Granite’s tools.
Since the certification, it’s become increasingly clear at Granite that maintaining a comprehensive ISMS would be nearly impossible using only Excel files. One major benefit of certification is simply the insight into the requirements for maintaining a comprehensive information security management system according to the standard. This hands-on experience helps Granite better consider various compliance details in product development as well.
Which Tools Could Benefit Your Organization’s ISMS?