How to improve your organisation’s ISMS

How to improve your organisation’s ISMS

Know more of our RISK & CYBER SECURITY capabilities.


In today’s market, every business is connected to a network in some way and as a result, is susceptible to data breaches. The importance of having an Information Security Management System (ISMS) in place has never been greater.

Data loss or theft can have a devastating effect on an enterprise, not only in terms of the direct cost of replacement or recovery but also in terms of damage to reputation and customer confidence.

Unfortunately, maintaining information security is beyond the capabilities of many organisations, particularly small businesses. This is where an ISMS – and in turn, a cyber security provider – can help.

With the assistance of an ISMS, businesses can take a proactive, rather than reactive, approach to data security. This article will explore some of the ways you can improve your organisation’s security plan.

What is an ISMS?

An ISMS is a formal, comprehensive system for managing an organisation’s security. It sets out how the organisation will manage and protect its data assets from unauthorised access or theft.

This is not just an overview. An ISMS should be a detailed, living document that evolves as the organisation’s security needs change.

For some, this may be a novel concept. Others may have an ISMS in place but are unsure how to go about improving it, having perhaps inherited it from a previous regime.

Both of those problems can be solved by working with an experienced cybersecurity provider that understands the requirements of an ISMS and has a proven track record in delivering successful ISMS implementations.

Cyber governance

Before anything else, it’s important to have a clear understanding of what an ISMS is and how it should be used. This means having a firm grasp of cyber governance – the decision-makers that will be responsible for approving and monitoring the ISMS.

An ISMS should not be a static document; it should be reviewed and updated regularly. The frequency of review will depend on the organisation’s security needs, but at a minimum, it should be reviewed annually.

Without first determining the leaders that will be responsible for change management, an ISMS is likely to become out-of-date quickly and be of little use in the event of a breach.

A cyber security provider can work with you to help identify the right people for the job and ensure that they are properly trained in using the ISMS. They can also provide templates and other resources to help with the review process.

Ways to improve your ISMS

When you hire an outside firm to help improve or implement an ISMS, they will usually take one of two approaches.


In an outside-in approach, the provider will take an objective view of your organisation’s security posture and work with you to identify weaknesses and potential improvements.

This approach is often used when implementing an ISMS for the first time, as it provides a comprehensive overview of the organisation’s security risks and how they can be mitigated.

Threat and risk assessment

A threat and risk assessment (TRA) is the first step in any security improvement project. It involves identifying the organisation’s assets and data, understanding who might want to target them and what motivates them, and assessing the risks posed by those threats.

This information is used to prioritise security improvements and allocate resources accordingly.​​


Here is a common situation that might require an outside-in approach to ISMS.

Your organisation has been the victim of a data breach. Customer data was stolen and your reputation has been damaged as a result. You need to act quickly to contain the damage and prevent it from happening again, but you have no idea where to start.

In this case, you would engage a cybersecurity provider to carry out a TRA. This would involve identifying the data that was stolen, understanding how the breach occurred and assessing the risks posed by similar threats in the future.

The output of the TRA would be a prioritised list of security improvements that need to be made, which the provider can help you to implement.


In an inside-out approach, the provider works with you to create key performance indicators (KPIs) that will be used to measure the effectiveness of your ISMS. These indicators are specific to your organisation and take into account its unique security risks.

This path is often used to improve an existing ISMS, as it provides a structured way to measure progress and identify areas for improvement.

Internal KPIs

The first step in the inside-out approach is to agree on internal KPIs that will be used to measure the effectiveness of your ISMS. These should be specific to your organisation and take into account its unique security risks.

Some examples of internal KPIs are:

  • Number of data breaches
  • Number of security incidents
  • Time taken to resolve security incidents
  • Cost of resolving security incidents
  • Impact of security incidents on customers/reputation
  • Number of security controls in place
  • Coverage of security controls
  • Effectiveness of security controls
  • Compliance of employees with security policies
  • Awareness of employees of security risks
  • Training of employees on security risks

Once you have agreed on internal KPIs, the provider will work with you to create a plan for improving your ISMS. This will involve setting targets for each KPI and agreeing on the actions that need to be taken to achieve those targets.

Continuous improvement

Importantly, the inside-out approach is not a one-time exercise. It should be seen as an ongoing process of continuous improvement. As your organisation’s security risks change, so too should your internal KPIs and targets.

Regular review of your ISMS will ensure that it remains effective and up-to-date. Cybersecurity providers can play a valuable role in this process, providing expert advice and guidance on best practices.


As an example, let’s say that one of your internal KPIs is the number of data breaches. Your target might be to reduce the number of data breaches by 50% over the next 12 months.

To achieve this, you might put in place new security controls, such as encryption and access control. You would then monitor the number of data breaches over time to see if there has been a reduction.

If you are not seeing the desired results, you can work with your cybersecurity provider to review the situation and identify alternative actions that might be more effective. The process is iterative, meaning that you can continue to refine your ISMS until it meets your organisation’s needs.

Benefits of an ISMS

If constructed and maintained properly, an ISMS can bring several benefits to your organisation, including:

  • Reduced risk of data breaches
  • Improved incident response times
  • Reduced costs associated with security incidents
  • Improved customer satisfaction and confidence

By working with a reputable cybersecurity provider, you can be sure that your ISMS is fit for its purpose and will deliver the desired results.

Final thoughts

At Information Professionals Group, we offer comprehensive cyber governance and ISMS assistance, from initial design and planning to ongoing review and improvement. Our team of experts can help you to create an ISMS that is fit for purpose and will stand up to the scrutiny of auditors.

To read more about risk and cybersecurity, check out the various services that the Information Professionals Group offers.

Related Posts
Methodologies For Digital And ICT Planning

Know more of our DIGITAL & ICT STRATEGY capabilities.   Digital and ICT strategic planning is the process of creating

The Identify, Detect, Protect, Respond, Recover Lifecycle

Know more of our RISK & CYBERSECURITY capabilities.   The National Institute of Standards and Technology (NIST) is responsible for

Analysis techniques: Which one is right for my business?

Know more of our IMPLEMENTATION capabilities.   Every savvy business owner knows that to be successful they must constantly evaluate

Architectural Methodologies Explained

Know more of our DIGITAL & ICT STRATEGY capabilities.   In business, enterprise architecture is a discipline that provides a

Latest posts by IPG Team (see all)
Share this post
Relevant Case Studies
Brisbane City Council

Cybersecurity Strategy, Architecture and Assessments & ISME

Shire Council

A Victorian Council had three teams (Information Technology, Information and Data, and Digital) and required m

Gippsland Region Water Alliance

A group of five water utilities wanted to assess opportunities in realising the innovation and digitisation be

East Gippsland Water

A small regional water utility in Victoria sought to transform its operations and customer service, using ICT