Potentials and opportunities of the management systems ISMS and GRC

Denis Schorr

Denis Schorr is the Managing Director of GORISCON GmbH, an innovation-driven company that supports clients in the areas of information management, risk management, compliance and data protection. Furthermore, GORISCON supports its clients in the project-oriented introduction of IT-based management systems. In the following interview, he provides insights into his expertise and points out the potentials and opportunities of the management systems ISMS (Information Security Management) and GRC (Governance Risk and Compliance).

Information security management system (ISMS): Many especially smaller or medium-sized companies face the issue of how they can best engage on this topic in the most lean approach. In your opinion, what are some good initial steps to take in introducing an ISMS?
Basically, there two issues. 1. Does management need to support implementation 100% – an ISMS’s success or failure depends on it. 2. Implementation feasibility – start lean and optimize in steps. In this sense, the focus at the start should be on ensuring a stable ISMS organization (roles, policies, targets), awareness, and internal audits. This will allow for developing and improving the management system in a targeted manner.

Does it makes more sense to start using a software-based tool than, maybe, initially a corresponding advising service involving “paperwork”?
Software-based implementation certainly simplifies many processes (saving resources) and enables sustainable implementation. Still, it’s key to establish the methods, organization, and processes, otherwise even the best software won’t help.

Governance risk and compliance (GRC) is focused on the overall risk management, controls, and policies within the company – an ISMS, on the other hand, is specifically focused on information security. How do you align both areas?
Making a delineation should always be avoided in modern management systems. Both disciplines (risk management and information security management) should act in harmony so that potential and opportunity can be consistently captured. In my opinion, a modern ISMS cannot function in risk management without integration.

How can a true competitive advantage result from a GRC approach – because the effort for implementation and updating shouldn’t be underestimated?
In the context of the transition, reactive, manual processes that usually require lots of personnel resources cannot display the same level of transparency. A modern organization requires transparent processes in governance, risk management, and compliance. Visibility in risk management and compliance requires the use of, among other technologies, artificial intelligence in order to achieve efficiency, effectiveness, and transparency. Managing business processes is thus becoming more agile and dynamically influenced factors, risk and compliance, allow the company to take more timely corrective action.

Why is it becoming increasingly necessary to automate an ISMS?
Developments, both technical and economic, are continually more dynamic. Thus, it is critically important that the ISMS is managed in a more targeted and quicker approach. Threatening situations are changing at such breathtaking speed that it’s no longer sustainable to block time and resources with “unnecessary” effort (endless updating of Excel lists, etc.) and administration. Therefore, it’s essential to implement automatisms and thus, make the ISMS a company success factor.

What is your perspective on the ISMS topic? How are tools and processes developing?
The speed at which changes are taking place in organizations is breathtaking – not least due to Corona. Today’s modern corporate organizations need to closely monitor the interconnections involved in constantly changing regulations, enforcement actions, and risk-relevant, business-related, and internal changes regarding corporate strategies, processes, employees, transactions, and more. This requires the organization to innovatively expand policy management approaches to include automated efforts for identifying and minimizing risk. Only through these optimization efforts is it possible to ensure compliance within a dynamic organization and environment. Along with this, policy management needs to be a coordinated, consistent, effective, and efficient process. This provides the basis for achieving the agility needed to keep policies up-to-date, ensure that target groups are focused, and keep the visibility of compliance automated.

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.