Introduction - The ISO 27001 Lead Implementer #1 Challenge
For ISO 27001 Lead Implementers inside organizations, the challenges are many. In most cases the need for an ISO 27001 based Information Security Management System (ISMS) is being driven by customer demand, so while there is some uphill selling to gain full top management support, in the context of the life-cycle of an ISMS, maintaining a strategic focus is paramount to its success and meeting stakeholder expectations. This article by its very nature will appear controversial, but is not intended to be so. That said, there is nothing better than a bit of controversy to stir up conversation. I have heard it said and believe it to be true, it is through the listening to varying perspectives that we have an opportunity to evolve.
The Problem Statement
One of the challenges faced by many ISO 27001 Lead Implementers is staying the course and maintaining a strategic focus. The input we receive from clients regarding the biggest challenge to maintaining a strategic focus are the tactical issues that surface on an ongoing basis; drawing planned resources away from projects supporting the ISMS' development. When elaborating, we are advised that the greatest source of tactical issue that draw on their resources are 1st, 2nd and 3rd party audit issues. To borrow from an episode of Seinfeld, "not that there is anything wrong with that." This is to say, we all understand and see the tremendous value the audit function brings to the table.
For many of these organization there is an upfront acknowledgement of "opportunities to improve" the information security posture, by way of output from the upfront ISMS gap analysis. When most organizations embark upon an ISO 27001 ISMS it is normally driven by customer demand, therefore there is usually little uphill selling to the senior management of the organization. For those not acquainted with the organizational certification and its ongoing maintenance, please see our process map provided here for your reference.
After the gap analysis is performed, gaps are subject to a individual impact assessments to determine the full effort and cost to bring them each to closure. Once this is done the Lead Implementer, consolidates the gaps into a risk-based plan and secures senior management sponsorship on the required budget, and moves forward into the implementation phase.
By focusing on individual tactical audit issues, it draws critical resources away from the ISMS' projects, and results in an operational risk of missing business commitments to customers, senior management and the Board.
In one large and geographically diverse organization I had the privilege of supporting, there was one individual representing an undefined technology risk management role who, on a regular basis would meet with me and insist the issues on her spreadsheet must disappear before our next monthly meeting; these items being security audit issues. My job was to oversee the ISMS, keep it on track and ensure that the average 28+ projects we had running at any one time, continued as scheduled and met their committed deadlines. As you can see our missions appeared to be diametrically opposed. That said, it was my sense that it wasn't a test of wills, but rather a breakdown in communications, in that we were not speaking the same language.
Upon recognition of the communication gap, I collected select individuals from my team and a few other trusted advisers in the organization and we went into a brainstorming session; the result was the argument you see to the right hand side of the screen.
The output from this brainstorming session was the creation of an equation designed in computer programming conditional statement style.
Once you read thought this, consider an example audit issue such as the organization does not have IDS / IPS to identify threats to the organization's perimeter. So someone comes up with some budget, purchases the IDS / IPS, sets up a project, rack; configures; and get them up and running. All but the naive of us knows this is not the end of the story. We know that as soon as the auditors come back to validate the IDS / IPS have been implemented, there is a rolling list of new audit items like operational procedures, active monitoring, incident management process integration, staffing, etc. This is where the argument stems from.
Once presented, she understood everything I had been trying to say and we then aligned her spreadsheet with our ISMS committed deadlines, and that is what we tracked from that time forward.
Note: The embedded video was produced by the Information Security Leadership Forum based on this article and is part of the Leadership Forum's committment to accessible leadership education and information sharing. It was produced with permission from CIMA, however original copyright ownership remains with CIMA, for which all rights continue to be reserved,