Most organizations go into an ISO 27001 initiative with high energy and excitement, focusing on the benefits and value certification can yield upon attainment, especially their company’s future prosperity. That said, there are others that will only go down this road kicking and screaming, and only at the insistence of a high-value customer contract mandating evidence of compliance.
Why is this? It’s because altruism is counter intuitive to capitalistic markets that focus on profit. You can’t get to compliance without some form of investment, and investment typically is drawn from the profit pool of an organization’s resources. Even marginally reducing profits, translates to a higher cost per transaction (or unit of a product), which can have an adverse effect on an organization’s share value. All that said, strategic organization’s position these types of expenses as high-value return investments for customer retention and growth.
With that said, how do organizations typically react to an initial ISO 27001 or other compliance based gap assessment? Allow me to draw a parallel to the 5 Stages of Grief and Loss. Like the stages of grief, the 5 Stages of Reaction to Non-compliance don’t all happen in the same order, and while some organization experience them all, others may only exhibit some of stages. These are:
1. Denial & Isolation
After a compliance assessment, and a client has an opportunity to either react to ongoing reports of high-risk issues identified along the way or are looking at a report, the first response tends to be the posing of questions about the observations, followed by disagreement (denial).
That’s right, most organizations that undertake an ISO 27001 or other compliance assessment, will get very defensive and in some cases, argumentative. While compliance is a subjective art it simply comes down to, you comply with the minimum requirements or not.
In cases where a service provider is overzealous in their assessment and findings, and this does happen on occasion, this can be the basis of a real and defensible rebuttal. In some cases, inexperienced staff of a service provider may assess a control against what they think a baseline for the control should be (in their professional opinion), and forget they are assessing against the minimum requirements of the standard or regulation, as the scope of the engagement may dictate. While there is room to convey opportunities for improvement, it should not affect a positive or negative compliance opinion, but rather be noted as an observation for future maturity of the control.
Notwithstanding the above, the majority of cases do relate to organizations not liking what they see in the mirror. Unfortunately, not liking or accepting a non-conformity finding will not sway the opinion of a certification auditor, and the organization will need to address it before seeking certification.
Isolation comes in when the organization’s representatives retreat within the boundaries of their company to confer internally, and temporarily break all communications with the service provider; think of it like a football team’s huddle. During this time the organization is typically strategizing on viable arguments seeking to dismiss the non-conformity finding. It is key to note here, this response is not always the emotional response of the organization’s engagement point of contact, but can be driven by other internal stakeholders.
Once the organization returns from their isolation, the typical response is ANGER. Anger is an emotional response to an unpleasant situation, and it is important to note that it is not typically reflective of the work performed, but rather disappointment that they themselves have not earned a better grading. This can be the result of limited resources and support from the organization’s leadership.
One of the key motivators for anger in situations like this is where management bonuses are tied to getting a favorable report, or being able to immediately move forward and securing certification.
This is a critical stage in the forward momentum of an overall compliance initiative, as organizations can get bogged down here and spin their wheels for an excessive amount of time. Irrespective of the impetus for the response, it happens and we just need to recognize and manage it no matter whether you’re the client or service provider. We need to remind ourselves, we’re all on the same side and have one goal; ensuring the organization achieves its business objective of meeting their client’s expectation of certification.
As calmer heads prevail, organizations migrate into the negotiating stage. They want to do the right thing, but there is time and expense, and the clock is ticking away on the compliance deadline in their customer contract. One example of this might be, “well I’ll write a process document this week and give it to you to look at before you leave on Friday. Will that satisfy the control?”
Unfortunately, while it might satisfy the basis of the control, it won’t satisfy it holistically. In accordance with the requirements of ISO, controls need to be in place and demonstrable as being consistently applied over time. The normal measurement for ISO standards is three-months. So, while the service provider assessing you can say yes, the organization has written a process document mandated by the standard, there needs to be evidence of management approval, communication to interested parties, handover to operations, measurements and monitoring, and of course there is evidence the process is followed on a consistent and ongoing basis.
In some cases, the bargaining process can yield great outcomes, as the organization naturally assumes a suggestive state of mind when opening negotiations, even when they believe they have determine one solution, their way. Being open and listening to experts can help an organization quickly move from non-compliance to compliance, limiting the associated window of risk.
Depression takes hold when the “Bargaining Phase” has concluded and the organization agrees or otherwise is resolved to acknowledge the bulk of the line items in their spreadsheet remain at non-compliant status. This sense of depression is a result of being overwhelmed by the volume of work ahead and investment of resources needed.
This can be exacerbated if the organization made commitments with limited or an unqualified budget proposal. This is not necessarily a symptom of inexperience on the part of that leader, as there are many occasions when the senior executive leadership or Board induces pressure upon them to put a dollar figure on the table up front. To be fair, this is typically done so they may understand the budgetary commitment the organization needs to make in concert with the initiative. While this helps some, it rarely yields long term satisfactory results. Why? As the saying goes, you don’t know what you don’t known. To be more precise, until a gap assessment is done, and the non-compliant states are then subjected to an operational impact assessment, no one will be able to gauge the true and full cost of compliance. The key here is to set expectation correctly, and ensure it is memorialized in the meeting minutes. If it is an unqualified budget proposal and you will need to come back after the gap and assessments to communicate and get agreement on any variance, say so up front.
In a case study on this, a large financial institution believed based on an audit and a budget swag, it would cost the organization $40M to overhaul its information security program to comply with ISO 27001: 2000. After the organization wrote its information security policy and standards in compliance with the standard, and did the gap and subsequent impact assessment, it identified that it needed an additional equal or greater than the original allocated budget to bring both its internal and outsourced environments into full compliance. While that was great work, the expectation had been set and reassured along the way with the Board that after the first $40M, the organization’s global operations would be secured. This is where setting the expectation correctly up front would have helped. State what you know and can qualify, and let them know that until the gap and impact assessments are completed, you don’t know what you don’t know (full implementation costs).
Inevitably, all organizations land at acceptance. They refuted the findings and retreated into seclusion, reemerge confrontational, attempted to negotiate, and end up here. Accepting the color blue is in fact blue, organizations arrive at a state where they are ready to productively move forward and mitigate nonconformity issues.
In closing, I’d just like to remind you of a couple of things:
Your service provider performing the gap assessment, did not create the non-compliant conditions; they only identified them, because you asked them to;
To avoid as many false non-conformity reports and the stress of managing them with your operations teams, make sure to contract a team that only uses experts in the field, not juniors a year or two out of school; and
During the process, you’ve probably been beating your service provider up quite a bit. That beating wasn’t in scope for the engagement, and while they didn’t charge you extra for it, the human impact lingers on. To be fair, find a way to show your appreciation for all the work, and for being professionally engaging to help you get through the five stages of acceptance.