In the excerpt from Chapter 2 of "Nine Steps to ISO 27001 Success: An Implementation Overview," author Alan Calder explains the first key to ISO 27001 success and what it takes to set up for success.
It may be something of a cliché but, for ISMS projects, it is certainly true to say that 'well begun is half-way done.' The person charged with leading an ISO 27001 ISMS project has to reduce something that looks potentially complex, time- and resource- consuming, and difficult, to something that everyone believes can be achieved in the time frame allocated and within the resources allowed. And then you have to make sure that it is actually delivered!
What this actually means is that the ISMS project leader has to set the project up in
such a way that it is adequately resourced, that there is enough time (including for
everything that will go wrong) and that everyone understands the risks in the project
and accepts the controls that are being deployed to minimise them.
Almost everyone dislikes change. Very few people relish dealing with the unknown.
Most people will see an ISMS project as something that brings both change and the
unknown into their working life. On balance, they're not going to welcome it. In any
group of IT users, there are always one or two who support the idea of improving
information security. The reaction of the majority will be a passive lack of real
interest -- their approach will be that they're no more interested in information
security than are all their mates, and if it's not worth chatting about around the water
cooler, or after work, it's not worth getting excited about.
The project leader, in the first phase of the project, is the person to whom everyone
else in the organization turns for insight, comfort and support. You have to be the
person who provides enthusiasm, certainty and an understanding of what's involved.
This means that learning too obviously on the job is not advisable. I don't mean by
this that you need to know all the answers at the outset, because that's not practical.
As long as you have a clear understanding of the strategic issues, practical knowledge
of where to turn for advice and guidance, you can be effective even if you're only a
day or two ahead of everyone else in the detailed knowledge required for the project.
You'd be surprised at the number of times someone has kicked off an ISMS project
without adequate preparation and has then failed to adequately answer a series of
questions or challenges about specific issues, and then been surprised that the project
has lost credibility rather quickly.
The first key to ISO 27001 success is, in other words, to set up for success.
Setting up for success means four things:
- Knowing -- and being able to clearly communicate - why information security
is important for any organization and, in particular, for yours;
- Knowing why ISO 27001 is the right way to provide information security --
and this also means having a background knowledge of the standard and how
it works;
- Knowing how the project is going to be structured, what the key elements are
(there are nine of them), and why this is the best way to go about it;
- Knowing whether you're going to use consultants or do it yourself, and the
pros and cons of both.
While your initial study of this book will enable you to deal with points three and
four, I'll deal with the first two points here. The first was that you should know -- and
be able to clearly communicate, in business terms -- why information security is
important and, in particular, why it is important for your organization. Information security is, as I said in the introduction, a business issue, not a technology one. It is about securing the availability, confidentiality and integrity of your organization's information. Information security, says the introduction to ISO/IEC 17799:2005, is 'the protection of information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities' and is also 'essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image.' It is critical that you are able to present -- at all levels in the organization -- these key reasons why business needs to take information security seriously.
There are two separate sets of risks that organizations have to address.
To find out what they are, read the rest of Chapter 2 from Nine Steps to ISO 27001 Success: An Implementation Overview.
