This week I was asked...
"Our Head of Risk and Head of IT don't speak. How can ISO27001 solve that problem?"
I've previously written about how a security certification is a communication tool, not a goal. Rather than list all the topics studied, you can simply say, “I am CISSP certified”.
To be clear, that doesn't mean “I know everything there is to know about cybersecurity...”. But it does mean that a broad set of security topics have been tested, and you have over five years of experience in the cybersecurity field.
Similarly, ISO-27001 certifications are great for communicating with customers and suppliers...
But can the process of security certification help internal communication also?
The Process of ISO27001
When I wrote about what it takes to get ISO27001 certification, I outlined the steps needed to complete the process:
- Defining the scope of the certification
- Risk assessments
- Risk treatment plans
- Defining policies
- Defining procedures
- Collecting evidence
While that may look like a step-by-step list, two very different skill sets are involved.
Risk Management and Treatment
The first half of the list is all about risk and risk management.
Defining the initial scope to ensure it covers the critical areas of business - as outlined by the executive team, identifying the risks posed to the company and how they can be mitigated.
Simply, it's all about...
What could go wrong?
How do we reduce the likelihood of that happening?
Or the impact if it did happen?
Then comes the defining policies...
We will work by these principles, and these are the specific actions we need to complete.
This is excellent work for a Head of Risk.
Beautifully documented policies are lovely. However, without implementation - they provide no security. Policies are intent. Process and procedures offer protection.
Without policy guidance, it's impossible to constrain the endless possibilities of security activities that “could be worked on”.
Policies create a set of objectives to be completed.
Enter the Head of IT...
“A.C.3 Use multi-factor authentication (MFA) wherever it is available.”
That's a great policy statement. It will certainly help reduce some business risks.
But how is that going to be implemented?
What services and systems do we use in our business?
Do they support MFA?
Is there a common MFA that can be used across all the services?
IT administrators and managers love to solve problems.
These are just a few of the questions that will immediately spring to mind as they try to solve the problem posed by the policy.
From there, it's a case of design, document, implementation and audit.
By using policies as the communication tool...
Your Head of Risk can actively manage what could go wrong within the business and how the risks need to be mitigated.
Your Head of IT can take the policies as high-level objectives and solve the problem of their implementation.
So, the certification process can help internal communication and alignment - as much as the final certificate can communicate to customers and suppliers.