ISO27001 – Principle 3 – Responsibility
Ever wonder why processes and systems breakdown in your organisation? The answer is normally pretty simple and comes back to just one word, Responsibility. If you don't assign responsibility to someone to get a task done or own a process, then guess what it'll fall over. All processes and systems left unattended eventually just fall over, it's called entropy and it's what happens when you don't assign ownership and responsibility to anyone for a process or system, it will just gradually decline into disorder and to honest sometimes it's not so gradual!
It doesn't matter if your system is, as in the case we are talking about an ISO27001 Information Security Management System (ISMS) or your ISO9001 Quality System or ISO14001 Environmental Management System or just the system you use to ensure that things get done, if no one has responsibility then no one owns it and nothing will get done. It's also incredibly hard to hold people to account for not doing anything if they haven't actually been given the responsibility to do it, obvious as that sounds it never fails to amaze me the number of organisations who fall over at just this simple step.
Responsible for What?
When it comes to your ISO27001 Information Security Management Systems there will be a series of tasks that you need to get done and ensure that they are done. That's the difference between a well run system and a system in entropy, things get managed to ensure that there is no loss of things like availability or confidential information isn't given to people who shouldn't have it and that the integrity of the information in your system is maintained at all times.
As you develop your systems you will st5art to outline the key steps that you need to take to ensure that your system maintains its robustness and that the data is secure, someone needs to be responsible for these things. As part of that responsibility however you need to ensure that they have the authority to act on things as required at the level required. That means they may need to have the authority to issue orders or make critical decisions for the organisation as well as enforcing the compliance, and the organisation needs to support that at all levels, even when it's hard.
Responsibility is Everyone's
It's not enough however to make one person responsible for everything in your system and everything that could or does go wrong, that's not assigning responsibility, that's' setting up a fall guy!
As you develop your ISMS you need to develop the levels of clear responsibility for not only the system owners and managers but everyone in the organisation from the CEO all the way down to the apprentice who started yesterday, everyone has responsibilities when it comes to your Information Security Management. For example, is every employee responsible for ensuring that their desk is clear of all data prior to leaving for the day (or even for lunch) who is responsible for determining what is confidential and what isn't? When the employee takes their laptop or the mobile phone home, what are their responsibilities with respect to controlling access or use in open wifi hotspots like café's or airports?
Write it Down
Its not enough to just point at someone and say congrats you are responsible or make the old chestnut of the blanket statement its everyone's job to do it. That doesn't wash and when it comes time either for your audits of your system or when someone knocks on your door to say you are in breach of data security or that you have been hacked or a briefcase of documents has been found saying that you told everyone wont help that much, in fact it won't help at all.
You must document responsibilities for things clearly and in a way that everyone can understand. This normally means that you document things both throughout the procedures in terms of what role will be responsible for what section but also in your position descriptions, which is, strangely, one of the most underutilised tools to any management system.
Add a section or an appendix to everyone's job description clearly outlining their part in achieving and maintaining your Information Security Management System. Think about it as the top level summary of all your other ISMS processes all there in one easy to find and read document that they are never going to lose since you refer to it all the time. Ok so I know you don't, but you really should.Most people only pull out a PD when they are applying for a job, writing up their CV, pulling it out to dispute what they should or shouldn't be doing or the functional manager gets a hold of it because they are going to look to discipline someone. It really should be used more than that and when you think about the ISO requirements for continuous improvements and review of documents, surely your position descriptions should be in this process?
Just like responsibilities under any of the other ISO standards or even just the responsibilities of the role itself, creating a table in a single appendix to list out the various things that their particular role has responsibility for and the level of authority that they have with that responsibility would be a good thing, and since your business systems will continuously improve then you need to be able to continuously update the area of the PD. Like all processes in a management system it's a living document, not something set in concrete only ever to be dusted off in times of strife.
Ensuring that everyone knows exactly what they are responsible for and how much authority they have in your ISO27001 Information Security Management System is important and you need to both write it down and educate around that. You need to give people the tools to follow through on the requirements and importantly when they don't follow through there needs to be accountability and consequences for not doing so. Failing to keep your systems up to date with the required reviews, updates and improvements means that it's going to end up doing one thing, falling over, and that gets expensive really quickly.
Get In Touch
If you need any support in developing or improving your Information Security Management Systems then click here to make an appointment and find out how we can help you Make Things, Better
You can also call John on 0211649739 to set up a meeting
© Many Caps Consulting | All Rights Reserved