The importance of ISMS in small-to-medium sized companies.

Information Security Management System (ISMS) is increasingly important to small- and medium-sized enterprises (SMEs) because it helps them comply with existing and forthcoming laws and regulations, and insofar as it helps them deal with growingly intense, pervasive and volatile information security risks.

Indeed, professionally-designed Information Security Management Systems (ISMSs) help SMEs avoid repercussions such as reputational damage, unexpected business interruptions, the loss of intellectual property, and breaches in the privacy of their employees or customers. This article reflects these realities, in that it includes a brief introduction on the importance of ISM, both as a mean to managing information security risk and as a tool for IT compliance.

ISMS as a mean to reduce exposure to information security risk

In line with the rule of thumb normally adopted in the field of ISM, information security risk may only materialise when an information security threat exploits an information security vulnerability in a manner that leads to a negative impact on the organisation. This is often represented, perhaps rather simplistically, as Risk (R) = Vulnerability (V) x Threat (T) x Impact (I), meaning that R is proportional to V, I and T, and that R can be nullified along with the zeroing of V, I and/or T. The formula also implies that an organisation may manage information security risk in many different ways, namely by allocating resources for the tweaking of V, I and/or T as may be needed or possible.

For example, a company may manage its exposure to ransomware by reducing its vulnerabilities to malware infections, such as by implementing a new firewall or an anti-malware system, or by training its employees to avoid carefree internet browsing. Or the enterprise may decide to reduce the potential impact of a ransomware situation by developing an adequate business continuity and disaster recovery plan, including by implementing the data backup systems needed to restore illegally encrypted data. Likewise, a company may decide to limit exposure to ransomware and the related impacts, at least in theory, by avoiding certain types of threats, such as by avoiding the implementation of certain technologies, or by limiting its involvement in certain markets.

Given the many approaches that may be adopted to manage information security risk, as well as the many types of threats and vulnerabilities emerging from the increasingly complex technological landscapes—e.g. with the advent of cloud computing, big data, the internet of things (IoT) and artificial intelligence (AI)—a key advantage of professional ISM (including to SMEs) is that it provides a systematic approach to the management of increasingly complex information security risks, which is typically achieved through a professionally designed ISMS, based on such widely-acknowledged and time-tested standards as ISO/IEC 27001/2:2013.

ISMS as a mean to compliance

As indicated in the introduction of this article, while a key benefit of professional ISM is that it provides a systemic approach to the management of information security risk, another is that it enables SMEs to comply with existing and forthcoming laws and regulations. Indeed, in the absence of professional ISM that is based on such widely-recognised standards as ISO/IEC 27001/2:2013 or PCI/DSS, and in the absence of the ISMSs that emerge as a result of professional ISM, SMEs would find it difficult to develop the mechanisms needed to comply in increasingly demanding contexts, such as the pharmaceutical, energy, gaming, financial services and ICT sectors.

  • Pharmaceutical sector. The number of Good Manufacturing Practice (GMP) warning letters that focus on the notion of ‘data integrity’ has increased from two in 2010 to 13 in 2015 [1, p.7], indicating changes, globally, in the inspection trends adopted by authorities like the European Medicines Agency (EMA) and the United States Food and Drug Administration (US FDA). This is in line with the historical evolutions taking place during the past decades relating to computer validation and data integrity. Within this context, while a professionally designed ISMS will not suffice, by itself, to achieve the required data integrity practices, since these span not only to system- but also product-centric operations, a professionally-designed ISMS is widely recognised (e.g. see GAMP 5 [2]) as a cornerstone to the Data Integrity Program (DIP) that will be required—as part of the company’s Quality Management System (QMS)—to ensure that the data supporting the final product satisfies the ALCOA characteristics; i.e. to ensure that the data is Attributable, Legible, Contemporaneous, Original and Accurate.
  • Energy security. In 2015, in the USA alone, the Energy sector—which is increasingly a target for cyberattacks—reported 46 cybersecurity incidents to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). According to research, such reporting covers only a small proportion of the incidents that actually occur [3, p.19].
  • Gaming sector. The success of certain European economic sectors—e.g. the Maltese and British online Gaming industries—depends on the maintenance of, and compliance with, a variety of laws and regulations established by the relevant gaming authorities—e.g. the Malta Gaming Authority (MGA) or the UK Gambling Commission (BGC)—which are expected to continue to prescribe strict information assurance requirements. For example, the BGC imposes information security audits based on a subset of the ISO/IEC 27001:2013 standard [4], and the MGA imposes similar requirements, which are expected to evolve towards those imposed by the BGC.
  • Financial Services sector. The continued success of the European Financial Services sector depends on the continued formation, understanding and operationalisation of complex prescriptive instruments, many of which are designed to ensure data confidentiality, data integrity and/or data availability. Such instruments include, among others, the General Data Protection Regulation (GDPR) (or Directive 2016/679), the Network and Information Security (NIS) Directive (or Directive 2016/1148), the Electronic Money Directive (Directive 2009/110/EC), the Payment Services Directive (Directive 2007/64/EC), and the Guidelines on the security of internet payments issued by the European Banking Authority (EBA) [5].
  • ICT sector. ICT companies and professionals—e.g. software development houses, software engineers, solution architects, data scientists, systems administrators, IT Auditors, IT managers, CIOs, CISOs and IT Consultants—are often responsible to provide services to regulated companies. Hence, they are also required to understand their clients’ risks relating to information-security, as well as the clients’ compliance requirements. Moreover, ICT service providers are exposed to information-security and compliance risks similar to those that apply to organisations operating within the other sectors, although, often even more intensely. For example, cloud service providers, social media providers and consulting firms are especially prone to information-security breaches, because of the vast amounts of data that they handle on a regular basis. Indeed, advances in cloud computing are expected to continue to transfer many information-security risks from traditional IT departments to the increasingly sophisticated cloud service providers, including to clouds designed to cater for very specific requirements, such as those designed specifically for the Pharmaceutical and Financial Services industries.

In the absence of professionally designed ISMSs, SMEs would find it difficult to develop the mechanisms required to comply with increasingly complex legal instruments, such as the NIS Directive and the General Data Protection Regulation (GDPR).

  • The NIS Directive. The NIS Directive, which was adopted by the European Parliament (EP) in 2016, is the first EU-wide law on cybersecurity, and is currently the main legislative instrument under the 2013 EU Cybersecurity Strategy [6]. The effects of this law include, among several others:
    • The proposal of steps to be taken by the operators of critical infrastructures to manage security risks and to report serious cyber incidents to competent authorities;
      • Note: in this context ‘critical infrastructures’ include: energy, transport, banking, financial market, health, drinking-water supply and distribution, and digital infrastructures.
    • The establishment of new policy documents, such as the European Cyber Security Strategy for the Energy Sector [3], which requires the formation of new information security constructs and practices, such as new risk-management techniques to address the challenges emerging in the European Energy sector [7, 8].
  • The GDPR. The GDPR was made by the European Parliament in 2016 and is expected to come into force in 2018. It builds upon and replaces the Data Protection Directive (Directive 95/46/EC), and is widely recognised as a complex legal instrument that establishes more rigorous privacy requirements for EU-based and other organisations, as well as new legal risks and obligations. This legal tool differs from Directive 95/46/EC in several ways, including as follows:
    • Increased territorial scope: it applies to all companies processing the personal data of data subjects residing in the European Union (EU), regardless of the company’s location;
    • Penalties: organizations in breach of GDPR can be fined up to 4% of annual global turnover or EUR 20 Million, whichever is greater;
    • Consent: stronger conditions for consent, steering away from long and complex terms and conditions;
    • Privacy by design: the inclusion of data protection from the onset of the design of systems rather than as an afterthought;
    • Breach notification: companies are obliged to notify customers and controllers within 72 hours of becoming aware of a breach that is likely to result in a risk for the rights and the freedoms of individuals.

Concluding remarks

In today’s commercial environments, SMEs cannot avoid professional information security management. Enterprises, whether these are small, medium or large, are decreasingly likely to avoid the materialisation of information security risk, especially in the absence of adequate technical, organisational and legal controls. They are also decreasingly likely to comply with evermore complex laws and regulations, particularly in the absence of a professional ISMS, as a construct that complements professional IT management. Likewise, while certain types of small organisations are on the rise, these are decreasingly likely to survive in the absence of adequate will (and ability) to achieve and prove compliance with the laws and regulations imposed on the larger companies, especially since the latter are often major clients of the former. In essence, an ISMS is an increasingly viable and inevitable investment that provides the groundwork for the adequate management of information security and legal and regulatory risk.


  • [1]      O. Lopez, Data Integrity in Pharmaceutical and Medical Devices Regulation Operations: Best Practices Guide to Electronic Records Compliance. Florida, US: CRC Press, first ed., 2017.
  • [2]      “Gainfully Occupied Population: September 2016,” News Release, Labour Market Statistics Unit, 040/2017, March 2017.
  • [3]      D. Healey et al, “Cyber Security Strategy for the Energy Sector,” tech. rep., Directorate-General for Internal Policies, Technical Report, IP/A/ITRE/2016-04, October 2016.
  • [4]      “ISO/IEC 27001 Information Technology—Security Techniques—Information security management systems—Requirements,” British Standards Institution, 2013
  • [5]      “Final Guidelines on the Security of Internet Payments,” tech. rep., European Banking Authority, Technical Report, EBA/GL/2014/12_Rev1, December 2014.
  • [6]      “Cyber Security Strategy of the European Union: An Open, Safe and Secure Cyberspace,” tech. rep., High Representative of the European Union for Foreign Affairs and Security Policy, Technical Report, February 2013
  • [7]      B. C. Erdener et al. , “An integrated simulation model for analysing electricity and gas systems,” International Journal of Electrical Power & Energy Systems, vol. 61, no. 10, pp. 410 – 420, 2014.
  • [8]      “Smart grid reference architecture,” tech. rep., CEN-CENELEC-ETSI Smart grid coordination group, Technical Report, November 2012


Authors Bio

Dr Christian J. Bonnici PhD MSc BSc (Hons.) is a consultant specialising in information security management, data governance and process design, as well as an information security researcher whose interests revolve around the notions of consent, privacy, surveillance, Value Sensitive Design and Digital Rights Management. Christian has received his PhD and MSc degrees in Information Security, and a BSc (Hons.) in Computing and Information Systems, from the University of London.


Dr. Graham Hili – PhD MSc BSc (Hons.)  from Royal Holloway University of London, where he specialised in Cloud Software and Massively Distributed Architecture Security. His research interest revolve around Network Security, Software Defined Network Security and Automotive Security. Graham now works as a freelance consultant for different Information Security projects mainly concentrating on Automotive Security with clients based in Europe, USA and Asia.