When designing an ISO 27001 (Information Security) compliant management systems many things can go wrong and if you are not careful you might end up with an information security management system that is not as good as it could be. By that I don’t mean that good systems are certified and bad systems are not. You can find systems that have been certified to comply with the ISO 27001 standard, but that are not designed to provide the most value for the business or its customers.
So what do I mean by a “good design”?
Well good design in my view is a management system that will support the business, provide value to the business through increased revenue, lower cost and higher productivity as well as be compliant with the ISO 27001 standard. In addition it will set an appropriate level of information security controls that is aligned with the stakeholders risk appetite. The system design would also take into account return on investment, i.e. the risk impact compared to the mitigation investment.
The most common mistake we see in designing ISO 27001 compliant systems are systems that are designed to an inappropriate level of information security. This can either be a system that ties down the business in too many unnecessary controls and hence prohibits the business from doing business (too secure compared to risk impact and likelihood) OR it can be a system that does not have enough controls in place (too insecure compared to risk impact and likelihood) and hence is leaving the business open to risks that are not acceptable and not in line with the expectations of the business stakeholders.
The other common mistake is when the ISO 27001 standard is interpreted wrongly. Sometimes organisations think that they have to do something to comply with the standard where in reality they would not need to. A typical sign of this is when you see a large amount of documentation in a small organisation. Do you really need this amount of documentation to make the system work?
There can be many reasons for these kind of design faults such as inexperienced internal ISO 27001 project managers, use of inexperienced consultants, use of template systems which are typically one size fits all with little help on how to apply the template system, not enough time spent on the design phase due to extremely tight deadlines…I could go on, but these are the main ones.
How do you avoid all this?
- Get the right people
- Train them well (if needed) and;
- Make sure you invest correctly in the project and in the ongoing operational phase.
In JSC Consultant our approach is:
- All our Senior Consultants have an extensive background in business
- They also have many years of ISO 27001 training, assessment and implementation experience
- No project is the same and hence time is spent understanding the specific situation of the client and the stakeholders
- Projects typically include a thorough gap analysis and risk assessment as input for the system design
So if you are considering ISO 27001 call us now to discuss how we can help you design and implement a great ISO 27001 compliant Information Security Management System and avoid all the pitfalls.