Security experts say and statistics confirm that:
- information technology security administrators should expect to devote approximately one-third of their time addressing technical aspects. The remaining two-thirds should be spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness;
- security depends on people more than on technology;
- employees are a far greater threat to information security than outsiders;
- security is like a chain. It is as strong as its weakest link;
- the degree of security depends on three factors: the risk you are willing to take, the functionality of the system and the costs you are prepared to pay;
- security is not a status or a snapshot but a running process.
These facts inevitably lead to the conclusion that:
Security administration is a management and NOT a purely technical issue
Therefore the establishment, maintenance and continuous update of an ISMS provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks. Furthermore such a company will be capable of successfully addressing information confidentiality, integrity and availability requirements which in turn have implications for:
- business continuity;
- minimization of damages and losses;
- competitive edge;
- profitability and cash-flow;
- respected organization image;
- legal compliance.