It is certainly true that most of those involved in the creation of IT standards are from large organisations. It is also true – as Steve Burrows says – that it can be challenging for an SME to implement a standard such as the ISMS standard, ISO/IEC 27001, for information security management.
However, all standards are explicitly designed for organisations of all sizes. ISO/IEC 27001, for instance, is clear that its requirements should be implemented in a way that is appropriate for the organisation; certainly the selection of controls will be driven by a risk assessment and, if the management of an SME has a high appetite for risk, it won’t find itself selecting many controls.
The reality is that all organisations are subject to similar types of risks; an impact (like the loss of a server for a week) that could severely disrupt an SME might not even bother a larger, multinational organisation. Organisations need to select and implement controls that will protect them from impacts they wish to avoid – and the management system they put in place will be very similar to that put in place by a much larger organisation to manage much larger impacts.
The issue isn’t really the IT standards; the real issue is the resources that SMEs have available to tackle them. Few SMEs will have the capability to plan and carry out an appropriate implementation of something like an ISMS – which, of course, is why we developed our FastTrack ISO27001 Implementation Service for organisations that have 19 employees or fewer, and why our classic consultancy service (with its 100% guarantee) is helping more and more SMEs implement appropriately scaled information security management systems that enable them to cost-effectively meet customer compliance requirements and to challenge larger competitors in their space.
No Responses