Port Hedland Port Authority was seeking to implement a robust Information Security Management System (ISMS) to complement their other Management frameworks. In the first instance PHPA needed to arrange management support for implementing an appropriate ISMS using the ISO27001 Standard, with the intent to move towards obtaining Certification in this standard.
Management intent was outlined in subsequent minutes of the Steering Committee to clearly identify that this is in agreement with the direction and objectives of management. The minutes included sign-off on the understanding to engage suitable resources and to ensure that all support is provided to undertake this activity.
The meeting minutes and any associated documents, materials or otherwise went into the records repository that was will set up to manage the documentation / records for the ISMS. (If you have such a repository for Quality or other management system then you could use that as well).
The challenge was to implement an appropriate ISMS which was not burdensome or complicated beyond what was necessary for the business to demonstrate compliance and suitably manage security objectives.
The ISO27001 is reliant upon an organisation having a good understanding of their assets and then applying an effective risk assessment against these to understand the applicability of controls that might apply. PHPA had a robust Risk framework in place which was critical in undertaking the Risk Assessment and developing the Risk Treatment Plan.
We needed to develop number of documents in the first instance that will set the tone and direction for the implementation, these being;
- ISMS Scope
- ISMS Policy
- ISMS Project Plan
Using easy to understand templates, work was commenced to develop documentation, keeping in mind that these documents would be used for auditing purposes and should be filled out accurately.
- The scope needs to identify the extent; physically, virtually and externally of the security management controls that need to be applied to satisfy any risks that would be identified.
- The Policy is high level management intent, this does need to be lengthy or verbose, but it needs to be signed off by the Board ideally to demonstrate their support and understanding.
- The Project Plan is something to consider very carefully as this will form the basis of when actions and activities are to be completed and will drive the work load. This needed to be realistic as to what the team can achieve.
An agreement was undertaken to hold a meeting each week, normally 30-60 minute with a supplied meeting agenda for actions, risk and issues to be completed – and this subsequently was added to the records repository (very important). Materials were shared via email to facilitate ongoing work without the requirement for onsite consultation. Port Hedland Port Authority subsequently achieved ISO27001 certification and has a very effective ISMS in place.