Photo by Brooke Lark on Unsplash
The organization’s management is key to ensuring that ISO 27001 requirements are met and that the ISMS is effective.
It’s important to understand that ISO27001 is a standard that needs to be implemented from the top down.
So, the organization’s management must show leadership and demonstrate to everyone, on a regular basis, that information security is an issue that is taken seriously. It must not only say so, but also demonstrate it through concrete actions on a daily basis.
The role of the information security manager must be clearly clearly communicated, not only to the person receiving this responsibility, but also to other members of the organization.
For information security activities to become part of people’s daily activities within the organization, responsibilities and accountabilities must be defined and clearly communicated.
Although the standard does not require the appointment of an information security representative, it may be useful for some organizations to appoint one to lead the information security team, coordinate training, monitor controls and manage reporting of ISMS performance to management.
In Quebec, with the new law on the protection of personal information in the private sector, this person can also be responsible for data protection. However, to be effective in his or her role, this person should ideally be a member of the management team and have a sound technical knowledge of information security management.
Among the roles and responsibilities already imposed on the organization’s management, the ISO27001 standard adds 8 additional items to their job descriptions.
Here are the reformulated elements defined by the standard:
5.1 a) In order to ensure that strategic plans and orientations are fully in line with the security policy, the organization constantly checks whether their long-term ambitions reflect those related to information protection.
5.1 b) Ensure that IT security requirements are integrated into organizational processes for optimum protection.
5.1 c) To ensure that the information security management system (ISMS) functions properly, it must be ensured that the appropriate resources are available.
5.1 d) It is essential to emphasize the importance of IT security and compliance practices to ensure effective management of the information system.
5.1 e) Ensure that the information security system is up to standard, delivering the expected results and effectiveness.
5.1 f) Provide direction and support to enable individuals to contribute to improving the performance of the safety management system.
5.1 g) Promote continuous improvement
5.1 h) Lead by example and demonstrate how committed the management team is to fostering success in all facets of the organization’s management roles. Provide an inspiring demonstration for other leaders to follow, helping to ensure that everyone is working towards common goals.
This list clearly demonstrates the why, the what or the target, but what’s missing from this list is the “how” these roles and tasks will be fulfilled. How will these tasks be carried out? In good Quebecois parlance, we’re wondering if “Les bottines vont suivre les babines”?
Are you using ISO 27001 to win new customers, or to really increase your security posture and implement an information systems management program?
What we want to find at this stage is the commitment of the organization, of the management, by the organization.
Who’s in charge?
Does management understand that the survival of the ISMS (Information Security Management System) is critical to the organization?
To succeed in this type of project, implementation teams must have the necessary resources, support and encouragement from the management teams.
It’s at this stage that an external auditor is looking for a sense that the project is important to the organization. For example, if there are presentations to the management committee, if there is a business case or regular situation evaluation plan for the project?
Example of failure
The success of a project is rarely guaranteed, and even when the best plans are put in place, there can still be pitfalls that prevent it from succeeding. One such pitfall, as we have seen, is insufficient management involvement.
When management fails to support implementation teams, or to provide evidence of its commitment to the project, the likelihood of failure increases considerably.
To guarantee success, managers must not only be present, but also actively involved at every stage of the project cycle.
The failure of this clause is guaranteed in cases where management is not present, does not accompany its implementation teams and has no proof of its commitment to the project.
***Another example of the failure of clause 5.1 is when a safety measure in place applies to all employees except management. This clearly shows a lack of commitment. ***
Another example: access control is strict for everyone, but management gives external access without any real restrictions, monitoring or otherwise.
I hope it’s clear to you that management involvement and commitment are essential to the success of this project.
Without proper top-down involvement, projects can easily go off the rails due to a lack of oversight, responsibility or even accountability.
To ensure the success of a project, managers must be present at all stages of the project cycle, and actively participate in its implementation and execution.
Success criteria
In order to determine whether we have complied with clause 5.1 of ISO27001, here are a few questions an auditor might ask:
- How did the project come about?
- What role does management play in project management?
- How do you keep track of documents so that you can review them?
- How are documents approved?
- Have you estimated the budgets needed to implement the ISMS?
- Are ISMS indicators aligned with those of the organization?
- Have ISMS support roles or responsibilities been integrated into job descriptions?
I invite you to click on “Follow” to continue learning more about the field of information security.