Dejan Kosutic Very often when I start ISO 27001 consulting job in a company I hear complaints from system administrators, IT managers, and other IT staff like, “Oh no, now we’re going to get swamped with a bunch of documents,” and, “Great, we’ll have to work overtime now”, etc.
But the fact is, ISO 27001 can make their job easier if they knew how to get benefits from it; if they approach it negatively, then sure – the documentation will become overhead, and they will work longer.
In my experience, here are the four main areas where you can benefit the most from the ISO 27001 project:
Save your time. Do you ever think about those things that cost you the most time in your regular work? Is it because the users of your information system are making all kinds of mistakes (not to use some heavier word here), so you have to spend endless hours correcting them? Well, ISO 27001 is all about defining clear rules – who can do what, how, and who is responsible. Yes, you’ll have to invest time to set these rules properly, but once they are in place the chances are your users will create fewer problems.
Get the attention of your senior management. You have probably been in a situation where you proposed some changes in your work, or proposed some new technology in order to increase the level of security. Very often the answer to this kind of initiative is “Is this really necessary?” If you start implementing ISO 27001, one of the things you’ll need to do is so-called risk assessment – this basically means you’ll have to systematically go through all potential problems and choose which ones are the most likely and which ones might hurt your company the most. Then you can present these results to convince your management that some issues really are top priority.
Protect yourself. When a security incident occurs, usually the IT department is to blame: “Why didn’t you prevent that?” or “Why didn’t you react more quickly?” First of all, with ISO 27001 implementation you define roles and responsibilities very clearly – therefore, if someone has made a mistake because he or she didn’t comply with the procedure, the management won’t be able to blame you. Secondly, during this kind of project you will have to propose changes toward your management in a formal way – if they reject them, then you have a documented trace that you did your best to prevent incidents.
Enhance your career prospects. You may consider information security as being a drag, but the fact is – the security industry is growing very quickly, even quicker than the IT industry. Therefore, with the experience both in IT and in information security (you can also ask to attend some security courses), you can advance even quicker.
So, rather than resisting ISO 27001, start thinking about how to use it to make your job easier.
To learn more about ISO 27001 implementation project, see this free online training ISO 27001 Foundations Course.
