Many things that are important in getting ISO 27001 compliant but in this blog post, I’ve narrowed it down to just 4 key areas. Trust me. By focussing on these objectives, you will greatly simplify your journey.
Make it relevant
First things first. You need to make it relevant. People will be more supportive if there is a known reason or benefit in becoming ISO 27001 compliant. Perhaps an important contract requires ISO 27001 certification or perhaps compliance is a requirement before you can bid for new contracts. Tying ISO 27001 compliance to something which will benefit the company and the staff is an assured way to get peoples support.
Having a reason for becoming ISO 27001 compliant also justifies any changes you need to make to current working practices. These changes will be hard to make and to get accepted by the staff unless the people involved understand why the changes are required.
Of course, any ISO 27001 compliance undertaking will fail if it doesn’t have the backing of senior management. In 27001 terminology this is “Top management” and section 5.1 Leadership and commitment has a lot to say about Top management’s support for the information security management system (ISMS).
Get Board buy-in
Second things second. Get the Board “on-board”. Getting Board (and therefore Senior Management) buy-in for your ISO 27001 compliance efforts is critical. Without it, you are doomed to fail. Any type of compliance exercise will require resources and is likely to require some changes to existing working practices. Without Senior Management buy-in resources will be unavailable or reassigned. Changes to existing working practices will be resisted or just ignored. Having this critical support for achieving compliance will help to smooth over a lot of the difficult areas and ensure you’re the next key point.
Integrate the ISMS into everyday working practice
Becoming ISO 27001 compliance and getting the ISMS (and its associated controls) ingrained into the culture and working practices of an organisation takes time. People need time to forget the old way of doing things and get used to doing things the right way. Bear in mind that any ISO 27001 audit will be looking for the maturity of the ISMS which for this blog post is key area number three. This means that the ISMS has been in operation for some time with some accreditation bodies expecting at least a year.
Trying to become ISO 27001:2013 compliant and possibly certified is possible in shorter timescales but the end results may be less sustainable. The rush to become compliant will inevitably result in some short cuts being taken which will be hard to address in future.
When putting together an information security management system a lot of it can be done by the information security team with little or no involvement with other teams or departments. Where things will start to fall apart with this approach is with the implementation. Having security-related policies suddenly imposed with no discernible reason is going to be unpopular with the staff and very likely to fail.
Engage the whole organisation
Finally, engaging with the staff and continually engaging them will help in achieving ISO 27001 compliance and in maintaining it. If staff know the reasons for the efforts to implement ISO 27001 and maintain compliance, they are less likely to obstruct and are more likely to assist.
There is very little the Information Security team should do in isolation. Information security touches every part of an organisation, so every part needs to play an active role in maintaining security. The more an information security team engages with other teams the more effective they become, and they receive a complete view of the organisation’s security posture.
By focussing on achieving these four simple objectives, you will find everything else will fall in to place nicely. An overstatement I know, but I promise if you proceed without attaining these goals you will find the route to compliance far more complicated than it need be. Good luck and I’ll see you on the road.