Is your Quality, Health & Safety or Environmental Compliance system working for you? How much time are you wasting trying to chase people to get things done, trying to remember to follow up on tasks, getting your Audits up to date, controlling documentation, dealing with customer complaints and capturing your Health & Safety Risks or incidents?
Let MANGO help you with a simpler way that makes the system not only work for you but, gets everyone involved in the system simply so you never have to remember again.
Please complete all required fields!
Having objectives is pretty important if you want to achieve something or get somewhere. Organisations (hopefully) have objectives for most things like profitability, sales per year, marketing and even their ISO9001 Quality Management System. It makes sense then that there should be some objectives linked to your ISO27001 Information Security Management System. As luck would have it, clause 6.2 of the ISO27001 standard is labelled Information Security Objectives and Planning to Achieve Them, here is what is involved.
Think carefully what you are trying to achieve with the objective, having things like zero incidents is not a great way to go. You absolutely will have incidents; setting a target of zero means either an instant fail when you do have an incident or people won't report things. It is about how you deal with them that counts. One of the objectives should surely be getting people to buy into and use the system and know the policy so how will you do that?
This is an interesting point for me, because on one hand ISO say measure your objective, on the other hand it is basically saying only If it is feasible or you can do it successfully. Here is my advice, do not set objectives you cannot measure if you do you will never know if you are winning or losing. When something seems too hard then consider what other leading indicators would give you a clue on the objective being a success.
What they are saying here is you have to be realistic about the objective and it should be based on something. For example the objective you set for your ISMS as say NASA is going to be very different from Joe Bloggs Plumbing (no offence to Joe Bloggs Plumbing) The level of risk, consequence and so risk treatments are just not the same. A great approach is to head to Annex A of the standard where it has all the control objectives and control suggestions, what things there should you implement or improve?
Communicating it once by standing in from of your entire workforce and reading out the objectives is not communicating it. 5 minutes after you do it no one will remember. Do not get me wrong, it's a start, a better start however would be to actually involve your people in defining the objectives if possible. If not, then do workshops on them as a roll out. Talk about the objectives, how they were selected, what the impact on the business and more importantly the person is, how can they contribute. Then plan more reminders until everyone knows off the top of their heads and please with you to stop.
Like everything in ISO it's about continuous improvement, getting better over time, which is probably why they appeal so much to my lean geek self. Think about this one however, the key word is appropriate. What is appropriate? It depends! It could be annual, but unlikely, it could be when the business changes, when laws change e.g. the pending update to the NZ Privacy Act (Dec 2020) will almost certainly impact your information security management objectives. As technology changes and work patterns change you need to think about the impact, think of the impact of COVID19 and the level of working from home for example
The second part of the requirements of this clause is actually defining what a plan is. In other words it's not good enough to make a list, a plan needs some very specific things attached to it, that way it'll be followed through one. Again ISO 27001 clause 6.2 has the answer for you, here's what you need in your plan:
It is not an unreasonable list is it? Without any of these things it's not a plan, it's a list and it won't succeed. Do yourself and the organisation a big favour and take the time to really think this through, it will be huge dividends later.
As part of your ISO27001 ISMS processes you will have built in management reviews, that is the perfect time to check on progress of these objectives, but do not wait till then. Review them when it makes sense to do so, change them when it makes sense to do so and above all, communicate them all the time.
© Many Caps Consulting Ltd | All Rights Reserved
By accepting you will be accessing a service provided by a third-party external to https://www.manycaps.com/