The design of information security management systems for small-to-medium size enterprises

Information security management systems (ISMSs) are often regarded as unnecessarily bureaucratic and for small-to-medium size enterprises (SMEs) they can be so bureaucratic that certification to information security management standard ISO 27001 becomes unrealistic. The bureaucracy arises largely as a result of misinterpretation of the standard and results from poor information security management process design and the use of inappropriate language in the risk assessment phase. ISO 27001 mandates the implementation of the following information security management processes: risk assessment, risk treatment, management review, internal audit, training and awareness, and incident management. However, in a SME these processes can be combined in a number of different ways to reduce the bureaucratic overhead and yet still construct an ISO 27001 compliant management system. The bureaucratic burden can be further reduced by tight implementation within the existing business processes. In particular, the bureaucracy of risk assessment can be reduced in two ways: by using linguistic metaphors appropriate for SMEs instead of the specialist language that is traditionally employed for information security risk assessment, and by combining risk assessment with a reflexive management review process. This paper presents a number of models for combining information security management processes and provides a number of case studies to show how these combined information security management processes can be implemented within standard business processes. The paper also offers a taxonomy of linguistic metaphors designed to be used in information security risk assessment in the SME.