In the excerpt from Chapter 2 of "Nine Steps to ISO 27001 Success: An Implementation Overview," author Alan Calder explains the first key to ISO 27001 success and what it takes to set up for success.
It may be something of a cliché but, for ISMS projects, it is certainly true to say that 'well begun is half-way done.' The person charged with leading an ISO 27001 ISMS project has to reduce something that looks potentially complex, time- and resource- consuming, and difficult, to something that everyone believes can be achieved in the time frame allocated and within the resources allowed. And then you have to make sure that it is actually delivered!
What this actually means is that the ISMS project leader has to set the project up in such a way that it is adequately resourced, that there is enough time (including for everything that will go wrong) and that everyone understands the risks in the project and accepts the controls that are being deployed to minimise them.
Almost everyone dislikes change. Very few people relish dealing with the unknown. Most people will see an ISMS project as something that brings both change and the unknown into their working life. On balance, they're not going to welcome it. In any group of IT users, there are always one or two who support the idea of improving information security. The reaction of the majority will be a passive lack of real interest -- their approach will be that they're no more interested in information security than are all their mates, and if it's not worth chatting about around the water cooler, or after work, it's not worth getting excited about.
This means that learning too obviously on the job is not advisable. I don't mean by this that you need to know all the answers at the outset, because that's not practical. As long as you have a clear understanding of the strategic issues, practical knowledge of where to turn for advice and guidance, you can be effective even if you're only a day or two ahead of everyone else in the detailed knowledge required for the project.
You'd be surprised at the number of times someone has kicked off an ISMS project without adequate preparation and has then failed to adequately answer a series of questions or challenges about specific issues, and then been surprised that the project has lost credibility rather quickly.
The first key to ISO 27001 success is, in other words, to set up for success.
Setting up for success means four things:
- Knowing -- and being able to clearly communicate - why information security is important for any organization and, in particular, for yours;
- Knowing why ISO 27001 is the right way to provide information security -- and this also means having a background knowledge of the standard and how it works;
- Knowing how the project is going to be structured, what the key elements are (there are nine of them), and why this is the best way to go about it;
- Knowing whether you're going to use consultants or do it yourself, and the pros and cons of both.
There are two separate sets of risks that organizations have to address. To find out what they are, read the rest of Chapter 2 from Nine Steps to ISO 27001 Success: An Implementation Overview.