The intent of achieving and maintaining compliance with ISO 27001 is for an organization to demonstrate its continuing ability to proactively assess their information security risk posture and manage that risk according to the organizations’ risk appetite. The focus is truly on the governance and maintenance of the information security management system (ISMS).
Oftentimes, organizations can get tied down with the controls and not see the full picture. There have been many situations where management systems fail to obtain or maintain ISO 27001 certification, and it hasn’t been because they don’t have a well-defined and optimized set of security controls. It’s been because they’ve failed to demonstrate their ability and commitment to continually manage, monitor, maintain, and improve their information security management system. Being able to maintain the ISO 27001 certificate shows your company has the means and commitment to identify, adjust, and react to information security risk in a regularly changing and dynamic business environment.
The companies that have the most success in obtaining and maintaining their certificate are those that are able to understand that it’s not all about the controls. The controls are an important factor in managing information security risk, and that shouldn’t be understated; however, ISO 27001 sets the standard for implementing, managing, and monitoring the processes, procedures, personnel and controls for the purpose of minimizing the organization’s exposure to information security risk. The requirements of the ISO 27001 standard were built upon the concept of plan-do-check-act. The organization is not only implementing a set of security controls, but required to establish a framework and process to manage and monitor information security risk through ongoing operational requirements, which include:
- Establishing a governance framework with support and involvement from top management to ensure the necessary resources can be provisioned and that objectives for information security are in alignment with business objectives
- Regularly assessing information security risk (at least annually) and more frequently when other changing factors impact the business (i.e. re-organization, acquisition, new product, new services)
- Implementing regular awareness and educational programs designed to make sure everybody within the organization, from the CEO to the receptionist, understands their role in the protection of a company’s information assets
- Regularly collecting and evaluating metrics to monitor trends and the performance of both processes and controls with a purpose of ensuring they are operating as intended or so they can be improved wherever necessary
- Establishing an internal audit program designed to ensure independent evaluation of the organization’s compliance with the standard and implementation of controls to mitigate risk exposure
- Performing regular management reviews of the design and performance of the management system in its entirety (at least once per year) to provide assurance that the management system continues to operate, adapt, and improve.
It is truly the only compliance effort that goes beyond implementing and maintaining a control framework. It requires resources, effort, and commitment, but the rewards of a mature information security management system ensure that an organization can demonstrate, both internally and externally, that information security risk is a top priority and that the people, processes, procedures, and systems cohesively act together, on an ongoing basis, to address information security risk.
To learn more about the importance of ISO 27001 and perhaps more importantly why your management should embrace it, Ryan Mackie, our ISO Practice Director will be hosting a free webinar on March 9th.