Now, in the complex matters of Information Security, I don’t want to over-simplify, but I do have a personal crusade against all who make ISO Standards seem difficult to attain, hard to understand, and somehow disconnected from everyday business life.
Hence, a ten-point guide below. It’s not a complete “answer”, but a beginning, a framework of “how”, rather than “what”. And. of course, it’s always best to discuss these things face-to-face. So, some basics:-
1. Get commitment and support from senior management. ISO 27001 is not an IT department standard, but an enterprise standard. Perhaps description of the consequences for the whole business of an IT security failure may concentrate minds
2. Engage the whole business with good internal communication. Occasionally, IT departments, busy fighting the inevitable and frequent “fires”, can be their own worst enemy. As per point 1, a clear portrayal of potential consequences will help the whole organisation realise that ISO 27001 implementation is more than an IT department administration issue
3. Compare existing information security management with ISO 27001 requirements. You may find, surprisingly, that you are using parts of “best practice” already, and reinventing the wheel will not be necessary. Many companies are daunted by the prospect of ISO Certification, but discover that they are applying some of the principles anyway
4. Get customer and supplier feedback on current information security. Without making them too alarmed about your current state, ask what their requirements are, in the light of your consideration of ISO 27001 implementation and certification. This may be a rich source of “pointers”.
5. Establish an implementation team to get the best results. Again, this may be a chance to break out of the IT department ghetto and “spread the word” about security. It’s also going to help with point 2 above if you have some corporate “champions” throughout the company.
6. Map out and share roles, responsibilities and timescales. As a caution to point 5, it is possible, with too many team members, to generate more heat than light. Implementation is unlikely to be perfect from day one. Adjustments will be inevitable. The key issue is to move forward, not duplicate activity, and at least have a framework and objectives to revisit. So, getting started is good. And often the hardest part.
7. Adapt the basic principles of the ISO/IEC 27001 standard to your business. You need to find out what these are first, and ideally have an ISO Consultant on board who will be able to reinterpret them and apply to your specific activities.
8. Motivate staff involvement with training and incentives. Keeping it simple and accessible will be the key. Once again, you will certainly have to “sell” the changes to the wider audience. But make sure that you “sell the sizzle, not the sausage”. Practical examples of application (or non-application) are vital.
9. Share ISO/IEC 27001 knowledge and encourage staff to train as internal auditors. The best evangelists will be the earliest converts. Plus, regrettably, the average IT team is not all-knowing, and a broader corporate team will have task-based insights that only they could discover. ISO27001 needs to move out of the IT department as soon as possible in order to be truly effective.
10. Regularly review your ISO/IEC 27001 system to make sure you are continually improving it. “Constant change is here to stay”. As per my point above, implementation of ISO27001 is a journey, not a destination. It’s good to start, as that’s often the hardest part, but champions of it need to realise that it’s application and hence effectivness, changes as quickly as the IT industry does.
And, of course, if you need a helping hand,a listening ear, or “boots on the ground”,then please be in touch!
Written by Colin Brown of ISO Consultants