- Category: News and Highlights
A number of KIPPRA staff went through a four-day training programme on Information Security Management Systems (ISMS) in an effort to streamlining the institute’s security management to comply with the ISO/IEC 27001 standards.
The rigorous training, which took place at the Utalii Hotel in Nairobi on 6-9 June 2016, entailed a detailed analysis and discussion of the specific steps an organization has to take before being ISO/IEC 27001 certified. Information security was defined as the preserving of the Confidentiality, Integrity and Availability (CIA) of information. Each step and security control applied, therefore, was to ensure the CIA of information.
Before delving into the steps, the facilitators took time to explain the importance of information security management and the potential risks an organization could face a result of not ensuring the security of its information. Among the risks included the loss of business, tainting of reputation and loss of integrity.
The main steps in generating a suitable ISMS are: Defining the scope of the organization; coming up with a security policy statement; defining the risk assessment process; identifying the potential information risks facing the organization, which includes assessing the vulnerabilities, threats and their impacts; analyzing and evaluating the risks; identifying and evaluating options for treatment of risks; selecting control objectives and controls for treatment of risks; obtaining management authorization to implement and operate the ISMS; preparing a statement of applicability; formulating and implementing the risk treatment plan; identification of ISMS support; determination of the schedule for performance evaluation and monitoring; identify non-conformity and the necessary corrective actions and ensuring continual improvement.
Each of the above steps involved detailed discussions and practical group assignments and applications. The group discussions also involved the identification of various threats and risks as well as the suitable controls that could be applied. In the discussions, each of the steps was tailored to suit KIPPRA’s nature of work, which is mainly collection of objective data, analysis and provision of policy advice to the government and other stakeholders.
The need to include all the staff and service providers such as consultants in KIPPRA’s information security management was emphasized as those who aren’t involved may be the weaker link and potential loophole to the ISMS.