ISO27001 – Principle 1 – Take Care
When you parked your car this morning did you lock it and put valuables in the boot, so they don't get stolen? What about when you left your house, I bet that was locked up, windows closed, oven and cooker off so as not to burn the place down. You don't want come home and find that your house is empty of all your possessions, that your family photo's are all gone and the mug that your daughter made you at school for being the worlds best dad is in very small pieces on the floor. You took care because they were important to you.
Your Information is Precious Too
If you stop and think about the information within your organisation, about how you came about that information it's precious as well. You had to gain the information over months, years or even decades. It came via the people you hired, many may still be there, but many will also have left or retired, so you ensured that before they left the information they had was captured. Some you will have gained as you trained people, some will have come through research and development work or day to day work and improvements that you tried that were a success and some that were not. All of this information builds to give you the advantage, the strategy that you use to succeed in your chosen arena. Yet it's not always that well looked after. If it were a car, a house, a building or a machine in your organisation it would have a maintenance plan, it would be insured, taken care of, there would be contingencies in case it fails yet for most organisations the same thing can't be said about its information yet it's one of the few things when one company buys another that actually drives up the value, companies acquire each other to gain information in all it's forms. People hack organisations to gain information either so they can use it themselves or sell it to the highest bidder, information is a very precious commodity, and its value is only going up.
Taking Care of Information
The very best way to look after your information then is to come up with a scheme or a plan to look after it, that's what ISO27701 is, it's the standard dedicated to outlining the best way to set up an Information Security Management System (ISMS). A well thought out ISMS will give you a clear view on how to control your information, what in fact information is in all its guises and that you need to take care of it, in all its guises.
As part of this process, and you do need to take a process approach to it, the team charged with developing your an Information Security Management System needs to look at the level of care required to help you protect your asset, they need to analyse the threats and the weaknesses to your current systems and your way of thinking as an organisation, that mean that everyone needs to be on board and it needs to be lead from the top and it needs to be in place form the very start.
They need to develop an inventory of your information, what is it, where is it and how is it shared. When you think information security its understandable to think electronic but it's more than that, you need to look at in multiple places and in multiple ways, for example:
- Material Format of the Information - is it on paper, in books, on a white board, on post it notes or is it digital
- Knowledge – is it internal knowledge of stuck in your employees heads, is it on paper, is it know how that is held by contractors or customers, is it in a patient
- Storage – how is it stored, is it digital, if it is what is the medium, is it in the cloud, on hard drive, optical, a USB or 5 ¼ floppy Disks!
When it comes to transmitting or sharing the data how is that done?
- Digitally – is it only able to be shared internally or can it escape, is it done on email, on a shared server, on a SharePoint or Microsoft Teams' environment, could it be in a messenger program like WhatsApp, is it encrypted
- Physical – is it printed material, bound up in a book or a folder, information left on a whiteboard, can it be sent by post or a courier or hand delivered, or left on a bus?
- Verbally – is it going to be discussed in closed door meetings with only certain staff or is it stuff you can discuss in the open with all employees or the general public.
What's the Harm?
As you start to understand your list of information and review how and why it needs to be controlled you also start to understand the harm or risk associated with that information be available to those that shouldn't have it or in deed losing it completely. Once this gets underway the phrase that normally pops out of Oh @#$k, because it's quite a confronting realisation to see it all laid out in front of you and see how big a concern and risk it all really is, it's not unusual to get slightly paranoid about your information.
Take Care and Look After It
You now you have the list and you know the risk, the next step in your process of care is to figure out what steps and controls need to be in place to ensure you as an organisation takes the right level of care of each type or piece of information and importantly, how you will maintain this level of care an avoid entropy setting into your systems.
Can you develop a zero point of failure system, do you constantly back up to the cloud, to multiple clouds, do you have hot swap hard drives or real time backups, do you limit where people can store things, are your white boards self cleaning (is that a thing?!) Will you have secure entry to the buildings, certain rooms, will you have 24/7 alarm monitoring or perhaps a security guard. The list goes on and on.
The key thing is that once you put in your controls you need to monitor them and ensure that they are doing what you want them to do. That means they need to be reviewed on a regular basis and modified where required.
Just Good Business Sense
It's not unusual for IT to be the forgotten area of a business, things seem to work so it's Ok, let's not spend money there. Information is typically the same boat and your Information Security Management System will undoubtedly fall to the IT group. When you look at the scope of what you need to do and the impact it has you quickly realise that taking care of information is about taking care of the organisation and that just makes good business sense.
Get In Touch
If you need any support in developing or improving your ISO or Quality Systems we'd love to hear from you, just click here to make an appointment and find out how we can help you Make Things, Better
You can also call John on 0211649739 to set up a meeting
Virtual Quality Management
© Many Caps Consulting | All Rights Reserved