We often hear how larger-scale information security initiatives like ISO 27001 certification need to be “ingrained in the company culture,” and how you need “tone from the top” or support from executive management. Getting leadership on-board obviously helps make the initiative more successful and ultimately improves the organization’s information security posture.
But is that all there is to it? And how does that look in terms of tasks, roles or involvement in the implementation process?
In the most successful ISO 27001 implementations I’ve seen, management and cultural “buy-in” goes well beyond the realm of IT. A good practice I’d like to see happen more often is to directly involve any manager who is in charge of a critical business process in the ISO 27001 certification process.
Take, for example, a law firm that is pursuing ISO 27001 certification. Say they have a Marketing Director who processes large amounts of PII for clients. This data is often considered highly sensitive intake like case information, matters and so on. Though she’s not in the IT department, putting that manager on the firm’s Information Security Management Committee (ISMC) would be ideal, because she is the person in charge of a critical business process involving some highly sensitive data the firm is looking to secure.
It’s only logical: if you’re setting up a program to manage information security risk, whoever manages the business processes where the risk resides needs to be part of managing the risk as well as the overall process. Their perspective and input is vital to success, as well as to building “cultural buy-in.”
Going a step further, as an information security consultant focused on delivering value in ISO 27001 engagements, I need to understand what’s important to the my client; not just from a risk standpoint or a data standpoint, but also from a business process standpoint. Factoring a view of risk at the business process level into your information security management system (ISMS) can result in more effective controls—and that starts with and builds on getting the right people in the room to strategize about risk.
ISO 27001 is risk-based and non-prescriptive. At the heart of why this is works is that it helps you focus on what’s important for your organization specifically. To refine that focus, you need a holistic understanding of how your business processes really work.
To brainstorm with an expert about how ISO 27001 or a similar information security framework could benefit both your organization’s information security posture and its overall effectiveness and resilience, contact Pivot Point Security.