Author: Lynette Botha, Senior Information Security Consultant at Performanta
As organisations approach the implementation of an ISO integrated management system such as ISO 9001 (quality management system) and ISO 27001 (information security management system), it might surprise you that there are actually no hard and fast rules. There are many ways to achieve the same objectives, with most people going about this in their own manner and with their own interpretation. Ultimately, of course, they all need to comply with the core requirements of the standards to achieve this certification.
However, this individual interpretation could lead to some ‘not so clever’ ways to going about it, which could result in failure - or even worse - disastrous consequences for an organisation. Time and money can easily be wasted on inefficient and ineffective controls, resulting in failed interpretations of the application of the principles and requirements proposed.
One pitfall is that they could include trying to implement all of the controls as listed in the ISO 27001 standard, which is not necessarily advised for most small to medium organisations. On the other side of the spectrum, larger organisations may choose to go down the ‘big bang’ route; with a business case, good reason and associated cost.
ISO 9001 advocates a process approach for a very good reason. Processes need to be defined, documented and taught to ensure everyone knows their roles and responsibilities, and what it is that is going to make them succeed in their jobs. This is not just a one-off exercise, it’s ongoing; mentoring, learning, and taking an interest in employee’s aspirations. Competence is a huge factor, whether you are adopting new technologies or updating existing ones. We need to keep our employees up-to-speed and up-to-date in order to provide quality services to our valued customers.
Most importantly the interrelationships between processes are of paramount importance and are key to their success. Many organisations will often choose one or just a few divisions within the organisation to be ISO certified, as it is perceived to be easier and quicker. The truth of the matter is that for a certification such as this, all aspects of the organisation needs to be taken into account and be prepared for what is really a company-wide certification. HR, marketing, sales, alliances, business relationship management, project management etc.; they all have crucial roles to play in the certification process.
ISO 27001: Assessing & Mitigating Risk
ISO 27001 takes a risk-based approach to information security. This means that an organisation should focus on implementing the key controls that will best serve them and protect them against information security events, incidents and breaches. Of course, these incidents cannot always be avoided, but there always needs to be processes in place to ensure we know how to deal with these events should they occur.
However, we should also consider the full landscape of controls, as proposed by the standards, to ensure that we have not missed anything critical that could have a negative effect on the organisation, including in the longer term.
Organisations sometimes strive to improve their internal and external operations to better serve and sustain the business over the longer term. This should happen in alignment with these international best practices which, as we know, have been around for a very long time for a reason; they are tried and tested and have been improved over many years which means there’s no need to reinvent the wheel.
Implementing an integrated management system such as ISO 9001 and ISO 27001 proves to be sustainable and secure. By embracing a constantly improving quality and security posture, organisations adopting these standards, such as Performanta, are well-equipped to being able to offer their customers a solid foundation of excellence that helps build the trust on which to establish and maintain their relationship.