Manage Learn to apply best practices and optimize your operations.

Management Support

In the excerpt from Chapter 2 of "Nine Steps to ISO 27001 Success: An Implementation Overview," author Alan Calder explains the first key to ISO 27001 success and what it takes to set up for success.

In the excerpt from Chapter 2 of "Nine Steps to ISO 27001 Success: An Implementation Overview," author Alan Calder explains the first key to ISO 27001 success and what it takes to set up for success.

It may be something of a cliché but, for ISMS projects, it is certainly true to say that 'well begun is half-way done.' The person charged with leading an ISO 27001 ISMS project has to reduce something that looks potentially complex, time- and resource- consuming, and difficult, to something that everyone believes can be achieved in the time frame allocated and within the resources allowed. And then you have to make sure that it is actually delivered!

What this actually means is that the ISMS project leader has to set the project up in such a way that it is adequately resourced, that there is enough time (including for everything that will go wrong) and that everyone understands the risks in the project and accepts the controls that are being deployed to minimise them.

Almost everyone dislikes change. Very few people relish dealing with the unknown. Most people will see an ISMS project as something that brings both change and the unknown into their working life. On balance, they're not going to welcome it. In any group of IT users, there are always one or two who support the idea of improving information security. The reaction of the majority will be a passive lack of real interest -- their approach will be that they're no more interested in information security than are all their mates, and if it's not worth chatting about around the water cooler, or after work, it's not worth getting excited about. The project leader, in the first phase of the project, is the person to whom everyone else in the organization turns for insight, comfort and support. You have to be the person who provides enthusiasm, certainty and an understanding of what's involved.

This means that learning too obviously on the job is not advisable. I don't mean by this that you need to know all the answers at the outset, because that's not practical. As long as you have a clear understanding of the strategic issues, practical knowledge of where to turn for advice and guidance, you can be effective even if you're only a day or two ahead of everyone else in the detailed knowledge required for the project.

You'd be surprised at the number of times someone has kicked off an ISMS project without adequate preparation and has then failed to adequately answer a series of questions or challenges about specific issues, and then been surprised that the project has lost credibility rather quickly.

The first key to ISO 27001 success is, in other words, to set up for success.

Setting up for success means four things:

  1. Knowing -- and being able to clearly communicate - why information security is important for any organization and, in particular, for yours;
  2. Knowing why ISO 27001 is the right way to provide information security -- and this also means having a background knowledge of the standard and how it works;
  3. Knowing how the project is going to be structured, what the key elements are (there are nine of them), and why this is the best way to go about it;
  4. Knowing whether you're going to use consultants or do it yourself, and the pros and cons of both.
While your initial study of this book will enable you to deal with points three and four, I'll deal with the first two points here. The first was that you should know -- and be able to clearly communicate, in business terms -- why information security is important and, in particular, why it is important for your organization. Information security is, as I said in the introduction, a business issue, not a technology one. It is about securing the availability, confidentiality and integrity of your organization's information. Information security, says the introduction to ISO/IEC 17799:2005, is 'the protection of information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities' and is also 'essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image.' It is critical that you are able to present -- at all levels in the organization -- these key reasons why business needs to take information security seriously.

There are two separate sets of risks that organizations have to address. To find out what they are, read the rest of Chapter 2 from Nine Steps to ISO 27001 Success: An Implementation Overview.

This was last published in April 2006

Dig Deeper on Security audit, compliance and standards

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.