NCA Security & Technology Insights: How Your Information Security Management System is the Foundation for Your Business Assurance

By Network Computing Architects Inc. (NCA)

We understand that your business is reliant on its informational assets. The informational assets of your organization help drive your competitiveness in a rapidly changing market. Keeping these assets secure against changes in regulation, technology, and business practices is critical to any organizations success

Making an ISMS a reality is a multi-phased approach. This is accomplished by a combination of discovery, benchmarking, risk analysis, policies and procedures, technical deployments, continual analysis and ongoing enhancements. This unique methodology is designed to understand your core business processes, technology and people

What is an ISMS?

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. An ISMS encompasses people, processes and technology. Additionally, an ISMS will provide reasonable assurance that the confidentiality, integrity and availability of your information assets are maintained by implementing a combination of administrative and technical controls.

Consider these six phases when implementing and throughout your on-going compliance efforts.

Phase 1: Information Discovery: Asset Identification, Classification and Validation
Securing information begins by understanding your assets. To build a security system it is necessary to understand the assets to be protected as well as the supporting processes and environment. You cannot protect what you do not understand. It is a common mistake to implement solutions before understanding the problem. This can lead to spending resources on project that may not protect your most critical assets.
Focus on: People, Processes, Organizational Culture, Locations

Phase 2: Baseline Security Analysis: Risk Analysis, Treatment Plan, 3-5 year Roadmap
Risk analysis focuses on risks that are most likely to occur with the greatest impact. Risk analysis is a process that balances the operational and economic costs of implementing security controls. This is a critical, but often overlooked, step that can ensure your business is addressing its objective in terms of integrity, availability, and confidentiality. A risk analysis sets an objective roadmap to security.
Focus on: Process, Perimeter, Network, Systems, Physical

Phase 3: Security Foundations: Security Training, Security Policy Standards, Asset Management
Your security solutions must be integrated into your corporate culture to be effective. Policy standards and procedures are fundamental to a successful security management system. They lay the groundwork, provide direction and are the building blocks of your security program. To make sure that the security policy and standards are engrained in your culture, it is essential to provide adequate security.
Focus on: Critical assets, Administrative Controls, Policy Standards, Security Awareness and Training

Phase 4: Risk Treatment: Security Procedures, Technical Controls
Risk should be managed throughout the assets lifecycle. Successful risk treatment combines enforcing the security policy, standards and procedures as well as automation of the administrative and technical controls and technical whenever possible. Automating controls can assist with you policy and procedure enforcement.
Focus on: Technical Controls, Administrative Controls, Processes, Procedures, Automation

Phase 5: Continual Analysis: Test Plans, Gap Workbook, Risk Treatment Plan
Managing information security risks requires ongoing review and analysis. Most companies must now comply with multiple regulatory and compliance requirements. Maintaining your compliancy can be difficult without implementing an ongoing analysis process. Monitoring ensure consistency with management objectives.
Focus on: System Changes, Test Plans, New Requirements, Control, Effectiveness

Phase 6: Security Enhancements: Technical Controls, Controls Automation
Information security must be enhanced to address change and provide improvement. Learning and improving is critical to a successful security program. It is rare that a system is implemented perfect the first time. As a result, it is important to learn and improve. We only progress when we learn from and leverage our past experiences.
Focus on: System Changes, Regulatory Requirements, Emerging Threats, Technical Controls, Administrative Controls

Information Security Management Solution
Through NCA’s Information Security Practice methodology, we can provide your organization with all of the tools necessary to build out your ISMS. We will not only assist in identifying risks to your organization, but we will work with you to develop and information security policy, standards, procedures, and general administrative controls that give you reasonable assurance that your assets are protected. Our technical controls framework allows automation of key controls in ISO 27001, which can simplify your deployment and reduce resources necessary for a comprehensive solution.

View our website at:, Email us at: or call 1.800.604.6536.


Strategic Link is the NWCUA’s wholly-owned service corporation, providing the Association’s member credit unions with exclusive high-quality, competitively-priced products and discounted services. To learn more about how the Association’s partnership with Network Computing Architects, Inc., can benefit your credit union, contact Director of Strategic Partnerships Craig Reed: 206.340.4789,

Posted in CUNA.