The ISO 27001 standard makes it clear that top management involvement and direction is central to the effectiveness of an information security management system (ISMS).
But who is “top management” and what should they be doing to “grow” and mature the ISMS?
In a recent episode of The Virtual CISO Podcast, ISO 27001 implementation expert Rich Stever laid out definitive guidance on this pivotal topic. Rich is GRC Practice Lead at Pivot Point Security, and works every day helping our clients optimize their information security programs.
“Their role should be asking the questions,” Rich asserts. “What are our security objectives? They should be attending those meetings when possible because there are a lot of decisions made there. There’s a lot of discussions going on. They should be asking for the reports. Did we meet our objectives? They should be looking for those one-, three-, five-year plans of our goals for information security. Where do we want to be? Okay, we’ve got ISO 27001 certification… what’s the next step? What are we doing? How are we evaluating ourselves outside of these certification audits?”
In line with that, top management is responsible for validating the effectiveness of the ISMS at managing information-related risk.
Rich explains: “Management should be looking at their metrics. Are they meeting their objectives? One other way is through the internal audit. The internal audit is an evaluation of their processes. A lot of times the surveillance audits are only hitting on a portion of those controls. And the majority, 99% of the time, our internal audits are going to be full review of the ISMS in its entirety. So what type of results are we getting back? Are we improving? Are we downgrading ourselves year after year based off the results?”
Third-party questionnaires are another window onto information security effectiveness that management can leverage. According to Rich, “What types of questionnaires are we getting from our clients? Are we meeting those expectations within those questionnaires? If there are any findings, and third-party audits as well, are there any results that need to drive change within our ISMS? And are we completing them [remediation steps]? How are they being tracked?”
These latter kinds of input are especially critical for SaaS vendors among others. If you’re running (or owning) a business that provides services via software, the security of that software directly impacts enterprise risk.
Podcast host John Verry, Pivot Point’s CISO and Managing Partner, puts it this way: “You’re understanding the biggest information security risks and validating that you think the way the ISMS is constructed aligns with that. If you’re a SaaS, and you haven’t done an application vulnerability assessment and penetration test, that’s probably a red flag.”
John also points out that top management is not only responsible for governing the ISMS, but also resourcing it: “If management’s not providing the funding to do a comprehensive assessment of the application, then management can’t be pissed off that it hasn’t been done.”
“There has to be a balance across the organization as far as keeping the ISMS continuously improving and ensuring that you’re meeting your contractual obligations, your legal requirements that you want to do,” summarizes Rich. “But also on the technical side, there are a number of activities that need to be done, and they need to be managed and monitored. How do you do that effectively with an ISMS? … So it’s getting those tools in place, those processes in place and ensuring they all flow into metrics.”
When top management has access to metrics, this provides assurance that the ISMS is properly operationalized and monitored. The flip side is an ISMS that’s largely ignored and ineffective, getting some focus only in a reactive scramble to make things look acceptable shortly before the next ISO 27001 surveillance audit.
Hopefully your company hasn’t experienced that! If you want to make sure you never do, this podcast episode with Rich Stever will be a big help.