Why an ISMS holds the key to being in control of data protection

John Powell

Principal Security Consultant


With recent high profile data leaks highlighting how businesses hold huge banks of customer data, it’s imperative that all businesses can identify the level of protection required to keep customer data safe.

In our ‘State of Cloud, Edge, and Security in Australia 2022-23’ report, we surveyed executive decision-makers at mid and large-sized Australian companies and Government agencies . We found that while leading Australian organisations have, or are building, a well-articulated cloud strategy, cloud security remains a chief constraint to more rapid migration. Only 42% of respondents considered their organisations ‘well prepared’ for the cloud migration journey.

This is where an Information Security Management System, or ISMS, comes into play as an increasingly important tool to securely manage data of all types.

Delivering power and control

Cloud and IoT cyberattacks, phishing, software vulnerabilities, and securing remote access to the corporate network are just a few of the things keeping IT managers up at night.

ISMS can help alleviate these challenges, and not only is it required to secure information and increase resilience to cyberattacks, but can also reduce associated costs, help meet compliance obligations and ensure consistent accessibility for credentialled people.

A comprehensive ISMS strategy gives organisations the power to take back control of their network and structure it in a way that works for them, freeing them up from obsessing over security, whilst still retaining close monitoring capabilities.

Furthermore, an ISMS will also support in identifying and listing risks, then applying controls to mitigate them. The effectiveness of those controls can be continuously monitored and reported upon, with any required actions flagged for attention.

Meeting compliance obligations can also be challenging for smaller, less well-resourced businesses. An ISMS can also help you to deal with risks appropriately.

Setting a baseline for security

Setting a baseline for good security involves more than just cyber security. It also encompasses natural disaster preparedness and resilience, supply chain risk management, and resilience against personnel loss.

While the government rightly prioritised critical infrastructure in its Critical Infrastructure legislation, it’s simply a catalyst to force those actions where they are most required. There will be a flow on to all organisations across all industries because the management of risk and information security is what all organisations should be doing.

While the government has only mandated the legislation for critical infrastructure, it's also a good benchmark for everyone else.

The top five IoT trends at Ozwater

A legacy position on the importance of an ISMS

For the past 20 years we’ve been recommending our customers implement an ISMS, so it’s encouraging to see information security risk management now covered in the critical infrastructure legislation.

Clearly, the Federal Government understands the importance of maintaining an adequate cyber security program in an all-hazards approach to security. It has mandated processes or systems must be in place to manage this risk and minimum cyber security standards will apply, for many Critical Infrastructure organisations, for the first time.

We assist with ISMS development through building a standards compliant framework for managing cyber security. We do so because it is a difficult undertaking, and one that organisations might shy away from unless they are required to by law, simply because of uncertainty over how to go about it.

Asset discovery, threat assessment, risk assessment, current controls assessment, generation of findings and recommendations, policy development, controls remediation and audit cycle are all part of our ISMS development package, with every ISMS tailored to each individual business based on individual risk mitigation.

Whether outsourced or managed in-house, a good ISMS strategy is also a flexible one, and should be approached with the view of continuous, ongoing evaluation to ensure effectiveness.

Make a real difference Speak to an expert