Information Security Management

Information security management is not the primary focus of my consulting practice; that distinction belongs to disaster recovery, where I have developed a distinctive methodology and conducted peer-reviewed research. However, information security is a natural complement to DR work, and I provide professional ISMS implementation and improvement services grounded in formal training, industry certification, and structured project management.

My approach is informed by an MSc in Information Technology Security Management (Distinction) and by the body of knowledge developed for the CISSP certification. I work with organisations to implement Information Security Management Systems using established frameworks: principally ISO/IEC 27001 for management system structure and NIST SP 800-53 for security controls, supported by disciplined project management practices.

This is standard best-practice implementation work, delivered with rigour and attention to organisational fit. It is not, at present, the subject of a novel methodology. However, I have a clear intellectual view on where ISMS design could benefit from the same analytical approach I have applied to disaster recovery, and that observation is worth stating.

 

An Observation on ISMS Methodology

The layered dependency mapping framework I developed for disaster recovery planning identifies failure cascades across infrastructure, operational, and organisational layers. It works because it makes explicit the connections between technical systems, business processes, and recovery objectives, connections that traditional DR frameworks often treat as implicit or assumed.

The same principle, I believe, would strengthen ISMS design. Information security management could benefit from a layered approach applied across the security control domains defined in ISO 27001 or NIST 800-53, rather than a flat, catalogue-style list of controls to implement. An interconnected structure where control failures in one domain cascade into vulnerabilities in others.

This perspective would align naturally with kill chain analysis and Zero Trust architecture. Rather than treating security as a perimeter defence problem, a layered ISMS model would map cascading failure pathways across domains, identifying which combinations of control weaknesses enable an attacker to move from reconnaissance through to exfiltration or impact. The result would be a more precise definition of Protect Surfaces and a more defensible allocation of security resources.

I have not yet formalised this work as I have done with the DR methodology. It remains an observation rather than a methodology, and an area I may pursue as part of ongoing research interests. For now, I implement ISMS programmes using the established frameworks, and I do so competently. If you are looking for someone to challenge the adequacy of those frameworks analytically rather than simply apply them, that conversation is worth having, but the methodology to support it does not yet exist.

 

What Is an Information Security Management System?

An Information Security Management System is a structured approach to managing information security risks through policies, processes, roles, responsibilities, and technical controls. It provides governance, accountability, and continuous improvement, shifting security from reactive problem-solving to proactive risk management.

The most widely recognised ISMS framework is ISO/IEC 27001, which defines a management system standard and a set of security controls organised across fourteen domains, from access control and cryptography to supplier relationships and incident response. ISO 27001 is certifiable, and organisations often pursue certification to demonstrate security due diligence to clients, regulators, or partners.

However, an ISMS is not exclusively an ISO 27001 implementation. It can be built using complementary or alternative frameworks:

 

      • NIST SP 800-53 – a comprehensive security controls catalogue widely used in government and critical infrastructure sectors. NIST 800-53 provides detailed implementation guidance for individual controls, and is often used alongside ISO 27001’s management system structure.
      • NIST Cybersecurity Framework (CSF) – a higher-level framework organised around five functions: Identify, Protect, Detect, Respond, and Recover. CSF is particularly useful for executive communication and maturity assessment.
      • COBIT 2019 – a governance framework for enterprise IT, with strong alignment to risk management and audit.
      • Industry-specific frameworks or national cybersecurity strategies, depending on sector and jurisdiction.

 

ISO 27001 and NIST 800-53 are complementary. ISO provides the management system structure and the certification pathway; NIST provides granular control specifications. Many mature ISMS implementations use both.

 

Why Organisations Need an ISMS

Without a structured ISMS, information security management is typically reactive, fragmented, and poorly governed. Controls are implemented in response to incidents or audit findings rather than in line with a coherent risk strategy. Accountability is unclear, and there is no systematic process for measuring control effectiveness or improving security posture over time.

An ISMS addresses these problems by:

 

      • Defining security objectives aligned to business priorities and regulatory obligations
      • Establishing governance structures, role definitions, and decision rights
      • Creating visibility over risks, control effectiveness, and residual exposure
      • Supporting compliance and audit readiness through documented processes and evidence
      • Enabling continuous improvement through management review and corrective action processes

 

For organisations operating in regulated sectors or those seeking to demonstrate security maturity to clients and partners, ISO 27001 certification provides formal third-party assurance. For organisations with different priorities, an ISMS can be implemented without pursuing certification; the value lies in the discipline and structure, not in the certificate.

 

What I Provide

My ISMS services cover the following areas:

ISMS Design and Implementation

For organisations establishing an ISMS for the first time, I provide structured implementation support from scoping and gap analysis through to policy development, control design, and management review processes. This work is guided by ISO 27001 and NIST 800-53, and is tailored to the organisational context and risk appetite.

ISO 27001 Certification Preparation

For organisations seeking ISO 27001 certification, I provide readiness support, including Statement of Applicability development, internal audit preparation, evidence review, and liaison with certifying bodies. I do not act as the certifying auditor; my role is to ensure the ISMS is audit-ready before formal assessment.

ISMS Improvement and Maturity Assessment

For organisations with an existing ISMS, I provide maturity assessments, gap analyses against ISO or NIST standards, and improvement roadmaps. This includes policy review, control effectiveness assessment, and refinement of the governance structure.

Governance and Metrics Design

Effective ISMS governance requires clear accountability, meaningful metrics, and appropriate escalation pathways. I support organisations in defining KPIs, KRIs, and dashboards for information security reporting, and in establishing management review and exception-handling processes.

Project Management for ISMS Programmes

ISMS implementations are complex, multi-stakeholder projects. I apply structured project management disciplines to ensure clarity, accountability, and delivery. This includes stakeholder engagement, resource planning, milestone tracking, and risk management for the implementation itself.

 

Working Together

If you are building an ISMS from the ground up, improving what is already in place, or preparing for ISO 27001 certification, I can provide professional implementation support grounded in formal training and industry standards.

If you are interested in the intellectual question of whether ISMS design could benefit from layered dependency analysis and cascading failure mapping, the same approach I have developed for disaster recovery, that is a conversation worth having, but one that must acknowledge that the work has not yet been done.

Contact me to discuss how we can strengthen your information security management and embed disciplined risk management into your operations.

Contact me for a consultation