As in other fields, in the world of information security, standing still is tantamount to going backwards!
The aim of clause 10.1 of ISO 27001:2022 is to continue our race, our perpetual marathon, except that we’re not running to win a medal, but to preserve the security of our information.
Clause 10.1 simply asks that the wheel of improvement keep on turning.
Continue to improve Relevance, Suitability and Efficiency.
Definitions
For a more in-depth look at the definitions of “relevance”, “suitability” and “effectiveness” Here are my definitions with a few examples.
Relevance: This refers to the system’s ability to meet the organization’s current needs. This implies that the system is aligned with the company’s strategic objectives.
Examples:
- A high-tech company developing new online services needs to adapt its ISMS to incorporate the security requirements specific to these services, to ensure that the system is resistant to threats.
- If an organization expands its activities internationally, the ISMS needs to be adjusted to comply with country-specific data protection regulations, remaining relevant to each legal context.
Adequacy: Refers to its ability to cover all information security requirements, whether legal, regulatory, contractual or internal. An adequate ISMS must identify and address all risks relevant to the organization.
Examples:
- A financial institution needs to ensure that its ISMS encompasses the requirements of ISO 27001:2022, guaranteeing the protection of its customers’ sensitive data.
- A company handling healthcare data must integrate the legal obligations relating to the confidentiality and security of this information into its ISMS, thus ensuring complete coverage of the applicable requirements.
Effectiveness: Validate the extent to which the ISMS achieves the expected results in terms of information protection. It must be able to prevent security incidents, detect anomalies quickly and react appropriately to threats.
Examples:
- If a company suffers an attempted cyber attack and the ISMS detects the intrusion, triggers an alert and enables a rapid response to neutralize the threat, this demonstrates the effectiveness of the system.
- Regular internal audits that reveal no major information security non-conformities indicate that the ISMS is operating effectively to maintain data protection.
The world is constantly changing
Information security isn’t like a simple cake recipe that can be redone without improving anything. Technologies are evolving, hackers are using new tools (like artificial intelligence) and regulations are tightening (like the law on the protection of personal information in the private sector – Bill 25).
If ISMS doesn’t keep pace, you could end up with a system that’s about as useful as a password written on paper.
With continuous improvement, we move forward, adjust, simplify and ensure that our practices are effective and constantly at the forefront.
We take a proactive approach to preventing breaches, updating our tools to keep pace with technological trends, and raising awareness of security best practices among our teams. By keeping a constant watch and reacting quickly to incidents, we ensure that our assets are protected and that we don’t lose our data.
How to integrate continuous improvement into ISMS
Management commitment is essential to ensure continuous improvement of the ISMS.
In addition to defining objectives and providing the necessary resources, management must establish and maintain a culture of continuous improvement.
This involves actively soliciting and considering employee feedback, adapting processes and documents accordingly, and ensuring that safety documentation, such as policies and guidelines, is regularly updated and applied, rather than remaining a dead letter.
By encouraging this dynamic, management demonstrates its commitment to information security and motivates all staff to play an active part in improving the ISMS.
Good move with Clause 10.1
- Involve your employees at all levels. When everyone’s on the same wavelength, ideas flow and changes are better integrated – that’s what continuous improvement is all about.
- From dashboards to risk analysis tools, take advantage of technology to simplify your work.
- Every incident is a lesson. Analyze them to avoid making the same mistakes.
- Attend conferences, read articles and exchange ideas with other professionals. The best ideas often come from the outside.
Example
Suppose a company discovers that its employees are using weak passwords.
It then implements a password manager, trains its employees to use it, and monitors security improvements over several months. The result?
Significantly reduce the risk of compromised passwords.
In essence, clause 10.1 is a reminder that information security can never be taken for granted. As an organization, you have a duty to remain proactive and turn every challenge into an opportunity.
Success Criteria
Here are some questions an auditor might ask to validate compliance with clause 10.1 of ISO 27001:2022:
- How do you identify opportunities for improvement in your ISMS?
- Can you provide recent examples of corrective actions or improvements implemented?
- Present your work plan and the improvements you’ll be implementing over the next year.
I invite you to click on “Follow” to continue learning more about the field of information security.
