As soon as employees see terminology like “information security” their immediate reaction is that this is IT-related and therefore only belongs in the IT Department. Information security involves all areas of your business.
Your information assets will not only reside in your IT department. Your information assets are all over your business.
So when developing and implementing your systems, be sure to highlight the fact that information security is across the whole organisation. From top to bottom and for everyone in between.
Therefore take a comprehensive approach to everything you do when creating your information security management system.
That doesn’t mean documenting everything and anything. It just means that you need to consider your whole organisation and everyone that works there, including your suppliers and your contractors.