The term SME (Small and Medium Enterprises) represents a broadly deployed type of company whose main feature is to have a reduced number of employees and moderate billings. The definition of what constitutes an SME varies depending on the country. For the purposes of this document they will be defined them as organizations of approximately 500 employees maximum. This, from a general point of view, includes more than 90% of all worldwide enterprises, and more than 99% of the enterprises within the European Union.

Security professionals, commonly involved in high level issues such as information security management and governance, standards, digital signature projects, PKI or log consolidation, among others, tend to suffer a loss of perspective on assuming a high level of knowledge, deployment and culture on security across organizations, when the truth among SMEs is quite different. Only a small number of companies possess a high level of information security deployment, whereas the great majority lacks important knowledge about security in general, as well as about associated organizational and technical measures. The reality is that this kind of organisation lacks maturity about information security.

Such organizations usually need an adequate organisational structure; in most cases, they lack a chief security officer, whose job is assumed by the IT manager (systems and/or communications). This fact, joined to little or no training on information security, leads to a very basic and insufficient deployment of security measures, which are mostly taken to solve ad hoc problems and needs in the organization.

The daily tasks do not allow the people involved to have an overview or to plan and manage information security adequately. This, in turn, leads to a lack of awareness at the top level management about these issues, and inevitably ends up in unacceptable levels of risk for the organization. Such is the case of security incidents or non compliance issues that have an undesirable impact on the business. It is then that information security professionals are needed in the organization, to solve those immediate problems and, in the medium and long term, to reduce the risk and deploy adequate security measures.

When such incidents occur, companies usually require a reduction of the existing risk, deployment of short-term critical security measures, and without doubt, the development of an action plan for the top level management and the security manager (in fact the IT manager) to identify the necessary resources, and how security can be integrated as an additional requirement in the business processes of the organization.

This complex challenge could be approached in a traditional fashion, following the typical methodologies and standards (mainly ISO 27001), and consequently starting the ISMS (Information Security Management System) with its usual phases, whose description is not in the scope of this document, but will be outlined here as reference:

  • Scope and policy definition of the ISMS
  • Setting resources and responsibilities
  • Asset Assessment
  • Risk Management
  • Risk Treatment (control selection)
  • Statement of Applicability
  • Deployment

The strict execution of these phases in SMEs tends to be quite complicated, due to lack of awareness at the top level management and to the absence of some minimal structure for information security. Security measures (controls) are deployed only when the project is well into its course (probably months after the beginning). As a result of this, one of the objectives of the company, the short term critical measures, is not achieved.

This approach, otherwise accepted as the long-term path to follow, is then not commonly accepted by companies looking for immediate results ("we want security and we want it now").

Here arises the need for a methodology to scenarios like the one outlined earlier (again, bearing in mind that SMEs are 99% of the enterprises across the EU). This approach should provide a bridge between total non-compliance and a methodological deployment of security management according to a standard like ISO 27001.

This is the reason for presenting IS2ME (Information Security to the Medium Enterprise) as an approach and solution for the deployment of information security in organizations whose security model is not mature enough, but wish to undertake security deployment and its associated management system in an efficient, effective, and practical way. Such a method reduces risk in the short term while setting up a framework to achieve the required standards.

IS2ME also pursues an ambitious social objective: closing the gap between information security and medium (and small) enterprises. The process includes weaving information security in the organisational culture so that the general level of risk is reduced, resulting in an increase on the value, revenues and economic level of the majority of organizations that exist nowadays.