Implementing an ISMS shows professionalism. It requires proper organisation, encouragement and a mindset, instilled by continuous communication and training, both delivered with a smile, patience and persistence.
How many basic security measures do you follow in your daily life? Locking your front door after leaving home? Assigning a password or drawing odd geometric forms on your mobile phone? The list is likely to be long.
In the corporate world, security often becomes second nature too, but a crucial difference lies in the growing presence of evolving threats that require organisations to be pro-active and fast-moving in their response.
Whether it’s a sophisticated cyber attack, a phishing attempt, or simply someone entering our building with the intention of stealing information, the potential consequences are stark: quite simply, one security breach to our IT system or database could have an extremely wide impact.
This is why we have been working with certified service providers only.
It’s also why we’ve committed to making the security of PRISMA and its staff a key priority by pursuing the ISO 27001 certification - the very latest international standard that provides a holistic framework for protecting all forms of information. This will include building our own dedicated Information Security Management System (ISMS), which we believe is necessary for the evolution of the company as it forges a path towards even greater transparency, reliability and professionalism.
Of course, some may argue that transparency is incompatible with security – but we see it differently. For us, central to achieving transparency within an organisation is ensuring every member of staff has a clear, undiluted picture of how they are expected to go about their daily work, including being fully trained on how to protect themselves against security risks.
Because to reach our destination, we need everyone on board.
So what will be the tangible benefits of building and implementing an ISMS? We expect them to be multifold:
Enhanced protection against cyber attacks
Implementing and maintaining an ISMS will further strengthen PRISMA’S resilience to cyber attacks, hacks, data leaks or theft.
Thanks to the targeted risk assessment and analysis approach of an ISMS, PRISMA will be able to focus on targeted and effective measures and avoid the costs of defence technology that do not help alleviate the identified risks.
An ISMS offers a set of policies, procedures, and technical and physical controls that will allow PRISMA to enhance the protection of its information.
Improved company culture
The holistic approach of an ISMS means it covers the whole organisation, not just IT, encompassing people, processes and technology, and enabling employees to understand risks and embrace security controls as part of their everyday working practices.
More responsive to evolving threats
By providing the framework for adapting swiftly to changes both in the environment and inside the organisation, as well as for the routine assessment and tracking of risks, an ISMS will help PRISMA evolve along with the threats that it faces.
Our aim is to achieve ISO 27001 certification during 2020. In keeping with our Agile working methods, teamwork and co-operation will be vital to us meeting this goal. With this in mind, we set up a team to work alongside our Information Security Officer to help ensure the ISMS is tailored towards the security challenges specific to the company. We’re also embarking on a detailed multi-step process:
Setup a process
Far from a one-off project, the ISMS is a long term and continually evolving process that should be aligned with PRISMA’s broader business strategy and objectives. Our first port of call has been to create an interdisciplinary team to manage its ongoing implementation. To do so, we’ve identified select members of the PRISMA Team with the collective expertise and experience to generate a consensus around the security requirements and initiatives that we want to apply. In short, we believe the success of this process relies on the strong involvement and commitment of our Managing Director and Executive management team together will all teams working within PRISMA.
Identify gaps in our security system
One of the first thing we’ve done is perform a risk assessment and gap analysis to identify where we’re most vulnerable to security breaches. Guided by an external advisor, we’ve ventured one step beyond the remit of an ISMS or GDPR regulation and delved into how we can achieve maximum security across our humans, information, offices, servers and processes. After all, the threats don’t necessarily need to be the work of a criminal mastermind. On the contrary, they can often be highly unsophisticated in nature.
Identify affected teams
While an ISMS is typically limited in scope, it will inevitably have an impact on the entire organisation. At PRISMA, our intention is to focus on the operational side of our platform, covering the operation of the platform. As a result, we expect our Application Management and Software Development teams to undergo an adaption processing in order to fully comply with the ISMS policies which are therefore especially tailored to the needs of PRISMA.
Make a plan
This step is a week-by-week process and will be heavily informed by the results of the in-depth risk assessment. Under ISO 27001 certification rules, there are 114 measures that must be reviewed and decided upon as to whether or not they’re applicable to your organisation – and any which are applicable must then be implemented in order to gain the certification. As we make our way through the risk assessment process, we’ll begin to formulate how and when these measures will be reviewed and applied.
Build cultural awareness
The ISMS is a company process that can only succeed if everyone contributes to it. A major challenge for us will be to ensure that all personnel at PRISMA are fully up to speed with the new working processes and expectations that follow once we’ve introduced our ISMS. This will not only require laying out the tangible changes that they must adhere to, but also helping create a fresh culture within the organisation so that the new working practices eventually become second nature. This will take time, but we know it’s achievable.
The Foundations of our Future
We firmly believe that the measures we intend to take will provide the foundational basis for PRISMA to remain at the vanguard of the European gas market. In an industry that relies on co-operation between entities, and a strong degree of trust between users and platforms, we feel a strong professional and ethical obligation to our community to stay ahead of the game when it comes to security.
It will, we are certain, be a worthwhile endeavour for ensuring that PRISMA continues to thrive in a secure environment for its users, its staff, the wider gas community, and all of our European colleagues and friends.