Should Your Company Implement An ISMS

Stakeholder Awareness

Who are the stakeholders in your organisation that might be affected by information security issues?

• Have you identified key stakeholders such as customers, employees, partners, or regulatory bodies?

• Do you understand the role each stakeholder plays in your organisation?

Documenting Stakeholder Needs

Have you documented the information security needs of your stakeholders?

• Do you maintain a list or record of these needs and expectations?

• Is this documentation updated regularly to reflect any changes in stakeholder expectations?

Considering Stakeholder Needs in Planning

Are stakeholders' information security needs taken into account when planning company activities and decisions?

• Do you evaluate how business decisions might impact the security needs of your stakeholders?

• Are information security considerations part of your strategic planning and decision-making processes?

Communication with Stakeholders

How do you communicate with stakeholders about your organisation’s information security measures?

• Do you have a process for informing stakeholders about how their information is protected?

• Are stakeholders made aware of any incidents or breaches that might affect them?

Review and Update Processes

How often do you review and update your understanding of stakeholder needs and requirements?

• Is there a regular schedule for reviewing and revising stakeholder information security needs?

• Do you have a process in place for responding to changes in stakeholder expectations?

Do I need to have an ISMS?

If any of the following is true or required of your company, you should have an ISMS.

• Do you store any personal information of your customers?

• Is the company a public (publicly traded) company?

• Is there specific data or information assets that your partners expect you to safeguard?

• Are there regulatory or legal requirements that your organisation must comply with concerning information security?

  • Personal Data Protection Act 2010 (PDPA)

    • All publicly listed companies must comply

  • Communications and Multimedia Act 1998 (CMA)

  • Computer Crimes Act 1997 (CCA)

  • Digital Signature Act 1997

  • National Cyber Security Policy (NCSP)

  • ISO/IEC 27001

  • Bank Negara Malaysia's Guidelines

  • Securities Commission Malaysia (SC)

  • National Security Council Directive No. 24

• Does your organisation store data from other countries if so, are you required to comply with:

Country/Region Name

European Union General Data Protection Regulation (GDPR)

United States Health Insurance Portability and Accountability Act (HIPAA)

      Children’s Online Privacy Protection Act (COPPA)

      Gramm-Leach-Bliley Act (GLBA)

Philippines Data Privacy Act of 2012

Vietnam Law on Cyberinformation Security (2015) (LCIS)

       Law on Cybersecurity (2019) (LCS)

South Korea Personal Information Protection Act (PIPA)

Japan Act on the Protection of Personal Information (APPI)