Last Updated on November 3, 2016
What enables one organization to move smoothly through the entire ISO 27001 or ISO 22301 certification process in six to nine months, while other organizations still aren’t certified after two years?
If you read Part 1 of this blog post, you already know the short answer is leadership. Part 1 explains the vital importance of leadership in successfully achieving ISO 27001 certification in a timely, cost-effective manner. Here in Part 2, I cover two critical leadership factors that can make or break your ISO 27001 certification effort.
The first of these factors is “rule by committee” (sometimes rightly called “death by committee”). I’m not saying there isn’t a place for committees in the ISO 27001 certification process. But too much discussion is something you want to avoid.
Don’t be the organization that spends six months reviewing a risk assessment to decide what’s really important. Don’t take three months dissecting the “wills,” the “hows,” the “shalls,” the “maybes” and the “should” before you can achieve consensus and approve a scoping statement.
Similarly, the more people that get involved in an approval process, the slower that process tends to be. Subcommittees, small groups and even individuals can do the due diligence and research and come back to the larger committee with recommendations: “We’ve studied this beast and we think it’s a good thing.” Or “We think this is approvable with these changes and we’re asking for your approval.”
Another successful approach is to get an overarching information security policy approved by an uber committee. But then give authority to the CIO, CSO or COO—whoever is the executive sponsor of the information security management system (ISMS)—to approve and release the subordinate policies under the highest-level policy.
In my experience, teams that function in these kinds of ways are the ones that are successful in getting their information security policies approved by management within a couple of months, and are able to achieve ISO 27001 certification in less than a year.
The organizations that want a committee of 35 partners to approve every document, not so much.
I understand that partners and others who are the owners and overseers of a corporation, law firm or other organization need and want their say, and there’s definitely a place for that. But when it bogs the process down it can be counterproductive.
A solution can be to put a strict time limit on committee decisions. For example, allocate three weeks to approve or not approve a policy document, with non-approval including a rationale and recommendations for modification. Then limit discussion on the changes to, say, one week, so that you can move forward with an approved policy in a month.
In short, you must bound the discussion framework in terms of the number of people involved and the time allocated. Otherwise you’ll probably get mired in discussion, a condition sometimes called “analysis paralysis.” Then two years and a considerable sum of money can go by the boards with nothing to show for it. Trust me; I’ve seen it happen more than once.
The other leadership factor I want to address concerns how well an organization embraces maintaining the ISMS following certification. There’s nothing more frustrating to me as a consultant than spending two or more years helping a client finally get ISO 27001 certified, only to find they’ve done nothing in terms of documentation in the year leading up to their surveillance audit.
Just as an organization’s senior leaders need to embrace the ISO 27001 certification process, they also need to provide the oversight to ensure that the continuous improvement process and maintenance of the ISMS are in place. This is vital to long-term success in handling sensitive data securely and reducing the risk of having that sensitive data to acceptable levels.
Clause 5.1 of ISO 27001:2013, “Leadership and Commitment,” states:
“Top management shall demonstrate leadership and commitment with respect to the information security management system by:
a) Ensuring the policy objectives are established and compatible with the strategic direction of the organization.
b) Ensuring the integration of security requirements into the organization’s process
c) Ensuring that the resources needed are available.
d) Communicating the importance of effective information security management and of conforming to the information security management system requirement.
“Resources” in this context is more than just money. It’s also people, it’s skill sets, it’s training people to obtain and maintain those skill sets.
“Communicating” in this context means explaining and clarifying the importance of the ISMS throughout the organization, to ensure that it achieves its intended outcomes.
When management ensures that the ISMS achieves its outcomes, that’s active oversight—not just passively saying, “Let me know how it’s going.”
These are somewhat intangible aspects of leadership, but in many ways they’re even more important than tangible factors like limiting committee size.
So when I’m asked what makes one organization successful with achieving ISO 27001 certification in nine months while another still isn’t there after two years, I often cite those intangible leadership elements, because they manifest in very tangible ways that result in success.
If you engage Pivot Point Security to help you achieve the competitive advantages of ISO 27001 certification, we will get you there. But whether we’re your partner in a smooth, efficient process or a taskmaster gradually nudging you along over a long period of time is largely up to your company leadership.
To strategize on how to achieve and sustain ISO 27001 certification quickly and cost-effectively, contact Pivot Point Security.
For more information: