You’re only as good as the company you keep, so the saying goes.
Without doubt, one of the most important things to get right when implementing the ISO 27001 Information Security Management System is building the right team for the project.
It’s Not Just IT
All too often, people think ISO 27001 is all about IT and hastily appoint an IT Manager to do the job as a bolt-on to their usual role. But you don’t have to think for too long to realise that ‘information security’ impacts on many other areas of your organisation: people security, physical security, organisational security and so on.
The implementation of ISO 27001 therefore requires input from all these areas. Few people are experts in all these areas.
Too Big a Job for One Person
OK, so someone still has to lead on the project. And that person may as well be the IT Manager, right? After all, the reality is that in many businesses seeking ISO 27001 certification the IT team will be at the centre of it all.
Alternatively, what if you have someone who already manages an ISO system, maybe ISO 9001 – what about them? After all, ISO 27001 like all ISO standards has an element of ‘the system’ about it, doesn’t it?
The problem is, the IT Manager doesn’t know enough about ‘the system’ and the ISO manager doesn’t know enough about information management and IT.
So, what’s the answer?
Theoretical management books will tell you to set up a committee, circulate agendas and reports, hold regular, minuted meetings etc. But I live in the real world, and in my experience few organisations have the time (or appetite) for such an approach.
The reality is that you need to marshal all the resources at your disposal, whilst minimising the impact on your daily business.
Make Allowances
Much depends on the size of your organisation and the resources at your disposal. But whoever is put in charge has to be enthusiastic about seeing the project through. You can’t go at this half-cocked. The more savvy will realise that this is a big feather in their cap – just like securing ISO 27001 for your organisation makes your business stand out from the crowd, it does the same for an individual’s CV.
Senior management have to make adjustments too. I sometimes see unforgiving senior managers who don’t fully appreciate the extra work involved in implementing ISO 27001 and don’t make allowances for it.
If the project is being managed on a day to day basis by, for example, the IT Manager, then their line manager needs to realise that this is a big addition to their usual role and make adjustments accordingly. For example, their annual objectives will need modifying, KPIs may need adjusting and some of their routine daily tasks will need to be shared out amongst other colleagues.
I often witness strained communications between senior management who’ve decided to aim for certification, and the experts within the business who are getting on with the task. The reality is, some of this stuff gets quite technical. The technical staff should be flattered that they’ve been given the responsibility. So, if someone (especially a senior colleague) doesn’t fully understand something, remember the quote from Albert Einstein: “If you can’t explain it simply, you don’t understand it well enough.”
Everyone Pulling Together
A great opportunity for getting everyone together is when it comes to working out the Risk Assessments.
The ISO 27001 standard requires organisations to develop Information Security Risk Assessments and these need to consider all three components of Information Security: Confidentiality, Integrity and Availability.
This process involves determining the Risk Appetite of your organisation i.e. how much risk your organisation is willing to take. You need to work out treatments to reduce the risks to reasonable amounts, determine the risk owners and agree residual risks.
All of this involves an understanding of terminology; Threat, Vulnerability, Risk, Value, Likelihood and Impact. It’s easy for people to confuse these and end up with a mess of poorly done assessments that the organisation doesn’t understand and can’t use.
Working through this process is a great opportunity to pull everyone together as it’s not something that can be decided or achieved by an individual – it’s about the organisation, and at the heart of the organisation are its people.
And there we have it – we’ve come full circle to where we began. ISO 27001 is not the responsibility of one person, and it requires everyone in the organisation to pull their weight and contribute.
