In any management system there needs to be encouragement and leadership from the top levels of management even if the individuals concerned are not deeply involved in the day-to-day routine. In a small organisation, the CEO may take a very hands-on role but if the business is large and diverse then it is almost impossible for one person to have an in-depth involvement across all activities. Even so, company leaders must not isolate themselves from procedures and must be seen to be taking an interest and subjecting themselves to the same level of commitment they expect from staff. They can explain to the team the risks to reputation, performance and the like of poor information security management and they can be enthusiastic participants in discussions.
Leadership from the top
At the outset, the leader’s role is to gain an understanding of the subject, preferably with the help of internal employees and also outside experts such as an accreditation body. They need to know what application and implications of the standard will mean to your company and be able to communicate to others. They must also understand how present processes and risks are identified and handled.
With information security management, the understanding will need to begin with obtaining a copy of the relevant standard – ISO 27001 and any related guidelines or add-ons. A team then needs to be assembled to take the development forward. It is important when building the team that all sectors of staff and operations are included.
By its very nature, information security will require a lot of input and operational control by the IT and tech specialists in the organisation. They will be best able to identify the risk areas and propose possible protective measures and solutions. In the event of a successful cyber-attack, they will also be the people to whom the task of rebuilding systems and getting things back to normal will fall. The tech team should be asked to devise a backup system that increases security by backing up data to an isolated offline system not prone to ransomware and similar threats.
It is likely they will see other staff as the weak link in the data security chain and to some extent they may be right. However, other staff have their own skill sets and are equally important to company success so they may need extra guidance on how to recognise and handle suspected cyber threats.
Engaging staff at every level
Although the tech team will be tasked with constructing the framework, it is essential that they understand the working practices and needs of other departments and personnel. A system that is as secure as Fort Knox but does not allow staff to perform is more of a hindrance to business success. It is important as well that the system is structured such that it follows the guidelines attached to the ISO standard otherwise it may not be deemed suitable for certification.
The quality control managers and staff will want to ensure that the ISMS integrates with other management systems in operation in the organisation. Systems that mesh together ensure a more efficient organisation and usually mean the time and costs of auditing can be reduced as different systems can be assessed simultaneously.
The more customer and supplier facing parts of an organisation are areas where the information network of one organisation might interact with that of another organisation. These areas can be weak links if one of the organisations treats information management less seriously. Employees working in these areas can often be under pressure to meet targets and the combination of a fast- paced daily routine and links to other organisations is an area that needs to be properly managed.
Ensuring the system is fit for purpose
When building the system, its future management and refining need to be considered. This may mean that new software platforms might be beneficial but, in any case documenting and deciding relevant processes needs to be done effectively at this point. All team players need to co-operate at this point and could benefit from some training and working alongside the certifying body to ensure that the system is fit for purpose.
The next step of beginning to implement the system can be the most difficult as it will likely involve some changes in work practices. For this reason, there needs to be a constant review and appraisal of the processes and practices and when problems are identified, all parties need to decide how best to resolve issues. Once the system has been in place for a reasonable length of time and at least one internal audit carried out, then it is time to consider applying for certification.
To guide you on the journey to ISO 27001 compliance, access DNV’s self-assessment to understand your readiness.
Your business relationship with the certification body/registrar is likely to exist for many years, as your certification has to be maintained. To have an efficient management system, continual improvement is key. DNV will help you get maximum value through the certification journey with a partnership approach, risk-based auditing and digital tools driving efficiency and improvement.