Why the organisation needs to improve their information security management?

1. Risk-based thinking, the information security is crucial for business operation and shall be protected
2. Technical compliance with latest information technology, i.e. cryptography
3. Legal compliance, i.e. PDPA(Personal Data Protection Act), IPR
4. Government regulation for IT service provider, i.e. telecommunication, financial, healthcare...etc.
5. Contractual requirements, i.e. supplier contract, service level agreement
6. Social responsibilities, common practice for IT and service management 
7. Technically sounds and effective, i.e. vulnerability management, penetration testing (PT)
8. Market competition, i.e. competitor

Critical success factors

• information security policy, objectives, and activities that reflect business objectives;
• an approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the organizational culture;
• visible support and commitment from all levels of management;
• a good understanding of the information security requirements, risk assessment, and risk management;
• effective marketing of information security to all managers, employees, and other parties to achieve awareness;
• distribution of guidance on information security policy and standards to all managers, employees and other parties;
• provision to fund information security management activities;
• providing appropriate awareness, training, and education;
• establishing an effective information security incident management process;
• implementation of a measurement system that is used to evaluate performance in information security management and feedback suggestions for improvement.

Starting Point of Information Security Management

Considered to be essential to an organization from a legal, legislative point of view include, depending on applicable legislation:

• business objectives 
• data protection and privacy of personal information;
• protection of organizational records;
• intellectual property rights.

Considered to be common practice for information security managing include:

• Business/Organisational risk analysis according to risk management principal (ISO 31000)
• information security policy document;
• allocation of information security responsibilities;
• information security awareness, education, and training;
• correct processing in applications;
• technical vulnerability management;
• business continuity management;
• management of information security incidents and improvements.