This entry was posted on Tuesday, June 19th, 2012 at 15:50 and is filed under Main. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
There are probably two main thoughts managers have when starting ISO 27001 implementation: (1) we’ll pay quite a lot of money for something we’re not sure is worth it; and (2) the annoyance of maintaining such a system will cost us even more.
Yes, ISO 27001 does require an investment, but I would strongly argue that such investment pays off very quickly (see Four key benefits of ISO 27001 implementation). The bigger problem here is this: how to minimize the costs of running such a system, especially the time required of employees that have to “lose time dealing with all that documentation.”
And yes, I do agree that very often large quantities of documentation or inappropriate documentation is a problem – it simply takes too much time to comply with it (and to maintain it) without any obvious benefit. Therefore, here are 5 simple principles you should bear in mind when developing your ISMS:
Don’t get too ambitious
Basically, create only the documents you really need – if you’re a company of 10 employees it is not likely you’ll need a written description of the operating procedure for a security committee.
How would you know which documents are needed? You should start from ISO 27001 clause 4.3.1 where all the mandatory documents are listed (see also Mandatory documented procedures required by ISO 27001); add to this documents required by other interested parties (legislation, agreements with clients and partners, etc.), and areas that are very complex or are very risky – they normally need policies/procedures to define operating rules.
Bottom line is – the purpose of documentation is to serve your company, to describe the processes to your employees – not to satisfy the certification auditor.
The documentation should be written by those who will be using it
Not only do you need to avoid unnecessary documents, you also need to avoid unnecessary content in required documents. Very often I see consultants or security experts pushing too much text into a document that could have been much shorter (and easier to comply with).
It would be best if the documents are written by the employees who will be using those documents in day-to-day operations – they will make sure all the unrealistic parts are removed because otherwise they would make their own lives miserable.
Get commitment in the early phase
And having miserable employees is the best way for them to start avoiding compliance with such documents, which will contribute to the general consensus regarding the “needlessness of such documents.”
To avoid such an image, besides including the employees in writing the documents, it is also important to run awareness and training programs – such programs should run parallel to the implementation of documents/controls, because once documents/controls are implemented (without proper preparation), the image could already be turned irreversibly in the wrong direction.
Maintain the documentation
Did you ever try observing an outdated procedure? Pretty much a time-wasting experience, wasn’t it? To avoid this, you need to make sure your documentation is up-to-date – to achieve that, these elements need to be in place: (1) each document should have an owner who should periodically check whether the document needs to be updated; (2) regular and thorough internal audits should find irregularities in the documents; and (3) corrective and preventive actions should be effectively implemented so that all nonconformities are continuously eliminated.
Measure if you achieved what you planned for
Measuring information security effectiveness is still considered to be something almost mystical; above all, it is thought of as THE overhead.
But I would argue differently – if you cannot prove that information security makes sense, it will always be perceived as an overall overhead, wouldn’t it? So in my opinion it does make sense to set some clear objectives (they don’t have to be numerous) and occasionally check whether you have achieved those. Such checks don’t have to take too much time, especially if you already have some kind of Balanced Scorecard in place – and it will show very vividly to your top management whether an investment in ISO 27001 did make sense. If it did, they will make an even greater effort to support it.
Here you can download free preview of ISO 27001 Documentation Toolkit.