f. Difficulties in Developing Comprehensive BCP Plans

The BS7799-2:2002 standard requires the organisation to have a single comprehensive Business Continuity Management BCM framework. Many of the organisations did not have such a framework in place and the most common reason being thrown about is the lack of expertise and manpower to develop it properly. We also discovered that some of the organisations that do have a BCM framework in place did not regularly test their BCP plan and this reduces the effectiveness of their BCM setup.

B. Management Shortcomings a. Lack of Documentations

ISMS requires the organisations implementing it to focus a lot of effort in preparing relevant documentations. Every single task involved during the ISMS implementation phase will need to be documented as proof of completion or to be used as reference for the auditors and thus its importance should not be overlooked.

b. Failure to Define Specific Roles and Responsibilities in Information Security

Most of the organizations failed to define specific roles and responsibilities in terms of information security. Usually, the job descriptions only specify general roles and responsibilities. This is critical as only by specifically defining each personnels responsibility in performing their duties to ensure information security, each individual in the organisation will know the exact areas and assets that they need to protect against security breaches.

c. Difficulties in Conducting Regular Management Reviews and Implementing Suggestions

Majority of the participating organisations that we have came across did not conduct regular and continuous management reviews on ISMS and this has contributed to the failure to implement ISMS effectively. As with any other large-scaled projects, ISMS requires regular meetings to be conducted and recorded.

d. Lack of a Comprehensive ISMS Project Plan

Many of the participating organisations have failed to have a proper plan for the ISMS project and this is obviously a big drawback to ensuring the projects success. It has become even more critical by the fact that the ISMS project is usually managed by personnel holding dual posts in the organisation. e. ISMS regarded as a one-off project, rather than a continuous one. Once the BS7799-2:2002 certification is awarded to the deserving organisation, the certification requires the organisation to be audited annually throughout the approved term. Thus it is only logical that the ISMS shall be considered as a continuous exercise rather than a one-off project as the organisation needs to show its commitment of ensuring information security.

f. Failure to Obtain Enough Support from Top Management