By accepting you will be accessing a service provided by a third-party external to

Font size: +
6 minutes reading time (1162 words)

ISO27001 – Principle 8 – Active Systems and Active Involvement

You may have noticed that we used the word Active twice in the title of this principle, that was deliberate. When it comes to your Information Security Management System relaying on passive, reactive security steps is going to be pretty disastrous for your organisation, waiting for something to happen ( or worse still if something happens and you don't know it's happened) and then going gangbusters to try and deal with it after the fact is not a good approach and not one that ISO27001 for Information Security Management Systems is going to accept.  

What is an Active System?

  • 1.characterized by action rather than by contemplation or speculation
    2. producing or involving action or movement (Action - the accomplishment of a thing usually over a period of time, in stages, or with the possibility of repetition)

If we have a quick check of the dictionary, we get some definitions for Active which we've shown opposite.

In other words it's not sitting around waiting and thinking its working in advance. Think about it a little like this you have a large pile of gold that you want to protect. You have 2 choices, you can have some Active security on it where you can have guards that patrol the gold, dogs that also patrol it and sniff it once in a while just to make sure it's still real gold and not (unfortunately for the dog) been magically switched for sausages. Or, you can be a little bit more passive and put up security cameras around the gold that way if someone does take some you will possibly get them on camera and possibly catch them later. Which one do you prefer?

An active system is always doing things to keep things secure, in the IT world you can have your antivirus scanning, anti-malware systems, intruder detection, Spam detection, Sniffer detection and so on, it actively checks things all the time. Emails are scanned as they arrive, websites are checked for trusted certificates and so on. In the physical world however it's a little harder, how do you actively protect that bit of paper on your desk, or the folder of personnel records in your bag in the car? That's where you documented systems and training really come into play, ensuring that you clear off desks, lock things in boots or just don't carry certain things out the office all form part of your Information Security Management Policy. Of course, the other part of an active ISMS Policy is that it's reviewed on a regular basis and updated where it makes sense, and that you measure the effectiveness of your systems.

Active Measurements 

Measuring how well your systems are performing is important knowing how many Malware, phishing or password attacks you get is important and unless your system is actively looking for these you may miss them unlike things you will 100% notice like a ransomware attack where it'll encrypt your system unless you pay money or a Denial of Service attack which will just bring your entire system down.

Just counting them however isn't really going to cut it. The risk when setting up a measure and a KPI linked to that measure is that you drive the incorrect behaviour. If you just stick up that you have had 10 attacks and they were all taken care of then people become less actively involved in keeping the system operating correctly. Worse still is the KPI that you set, it's not unusual for organisation to use the universal 5% reduction approach to their KPI's. That's' where they look at last years numbers and apply a 5% reduction on the target so in theory, they improve by 5% or even worse than that set a target of Zero - it doesn't work, anywhere and especially not in your Information Security management System.

These types of targets do one thing, stop engagement in your systems, people are no longer active participants, they don't report things that they should because it'll push the number up and that blows the KPI. If the number gets too high someone is gong to get blamed and bonuses or pay rises may be on the line. It's critical re remember that if you are getting more breaches of your ISO27001 ISMS then it's not a person thing, it's a system or process thing and that's where the focus needs to be, you have a gap, it could be training it could be that the system wasn't designed right in the first place. You need to review the breaches and understand what the root cause of them really is, just because to breaches look different on the surface doesn't mean that they don't have the same underlying root cause.

Always Be Active 

Being healthy is about staying active, your Information Security management System is exactly the system. To have an Active System with Active Involvement you need breaches of your systems to be reported, no matter how small and how often. It's not about limiting the number artificially, if you have good systems, good practices and good training then the numbers will reduce over time. You will be able to trend that over time and demonstrate that. By monitoring it then you will be able to spot the outliers that may give you a clue of something bigger. In the same way as an audit is only valuable if you have opportunities for improvement / corrective action coming out of it that you action your Information Security management policy will only be of use if you find issues and fix them on a regular basis and throughout that process affix no blame to anyone, because it's the process that's the problem. As soon as blame starts, the number of reported incidents go down, they go underground and that's no longer active participation.


Security breaches, of any type, in your Iso27001 Information Security management Policy are not ideal, but they will happen. It's the steps you take to be able to recognise them and do things about them that will set your system apart from others in terms of success. Having an active system which is constantly looking for breaches and actively involving your people and making it easy for them to follow the rules is a great place to start.

Additional Resources 

Here are some really useful websites that you can go to for more tools and information on preventing breaches in your systems:

CERT NZ is the government agency for Cyber Security
UK Government Cyber Security
The Australian Cyber Security Centre (ASCS)
National Cybersecurity Hub for South Africa
The US Cyber Security Agency

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better
Virtual Quality Management Logo
Our Virtual Quality Management Support is designed to help your company achieve improved results plus meet the requirements of any ISO Standard, but at a fraction of the cost.


© Many Caps Consulting Ltd | All Rights Reserved

ISO27001 - Principle 9: Everywhere is Involved
ISO27001 Principle 7: Integrated Security

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Sunday, 31 May 2020

Captcha Image