I’d like to share a few thoughts about what’s important when building a Management System in general, and an Information Security Management System in particular. Please consider this being tips and ideas from me to you. This post relates to ISO 27001:2013 and the standards following the new model and structure.
More then one standard?
Are you looking to build a Management System against more then one standard? Good idea, just make sure to combine them into one Management System from the start.
Start from the processes
Make sure that you start from your own processes and include your policies in them. It’s fairly easy to build the system documentation out of the standard(s). The risk is that won’t make any sense to the organisation when moving on and implementing. For example: You would have to implement (and you probably already have some) controls according to ISO 27001 A.7 regarding HR Security. I believe it’s better to have these controls documented and enforced within the HR processes, rather then in some ISMS controls structure that few people read anyway.
Document what you’re already are doing
I would suggest that at least 99% of all organisations have some kind of Management System, and more then 80% of them have it in written, one way or another. My point is that there already are processes in place that everyone involved knows about and knows how to perform on everyday basis. Make sure that you document these processes first. Perhaps you already have documents describing it all – use them if possible, otherwise merge them into the decided Management System structure and go on from there.
Avoid creating processes and policies that are strange to you
As already stated I believe it’s important aiming to document already well known processes. I also believe it’s just as important to really try to avoid creating processes and policies that you can’t relate to. It might be that you, when looking at current processes thinks that these could and should be improved. It’s tempting to aim for better performance and/or security while at it. But you might then end up in a situation where you’re up for an implementation of a Management System that very few in your organization can relate to. The risk is that there’ll be a discrepancy between that Management System stating how the work is supposed to be done, and the organisation moving on just as before. Don’t forget about continuous improvement which is what ISO Management System standards are all about. You’ll have plenty of time and opportunities to improve the system further on and have it maturing organically.
It’s all about risks…
ISO 27001 is all about risks and risk management. If you’re up for a certification of your ISMS that’s what the auditors will begin to as about. You’ll need processes for risk management and risk assessment, ISO 27005 is not a bad place to look at. It actually helps when understanding what you need to consider when setting ut the risk management processes.
Include as many colleagues as possible
When it comes to risk assessment and risk management, I think it’s a good idea to ave a broad representation. Meaning for example: You would do risk assessments for information resources. Why not have representation of some colleagues in these assessments? When using a broad representation, you get valuable insights that might be lost otherwise. Of course there will be risks assessed in the organisation that are not for a broader audience to know about, you’ll know what to do when you find them. This approach might seem a bit scary, but I really recommend it! Implementing and improving the Management System will then be much easier. And so much more fun!
ISO 27001 is a beast – or is it?
It’s no big news to anyone that ISO 27001 differ from the other popular standards (like ISO 9001 and ISO 14001). Mostly perhaps because of Annex A, with its list of mandatory controls to consider. It’s easily done to read through the standard and come to the conclusion that it’s a beast that will be hard to tame. That might be true for some organisations, but in most cases I would argue that it isn’t. For example because of some of the tips I’ve stated above. The process of building and implementing the system will be just as hard as you allow it to be. There will most probably be controls to exclude in the SoA later on, and you doesn’t have to be “all done” with the controls that you’re not excluding to begin with.
Use ISO 27002 as a reference
Perhaps you’re already familiar with ISO 27002? Perhaps you already have built up your security policies from that standard? If so – good for you, then you already have good insight in the ISO 27001 Annex A controls. If you’re not familiar with it, I would recommend using it as reference further in. It will be a good help when setting up your ISO 27001 Management System and understanding Annex A. But remember to use it merely as a reference, it’s not a facit of how to implement controls. Consider it being a good reference when you wonder what a control in ISO 27001 Annex A really means.