Font size: +
4 minutes reading time (763 words)

ISO27001 Principle 5 – Set Some Values

When people start out on the journey for ISO27001 sometimes they can forget to stop and really think about the design of their Information Security Management System (ISMS), eventually it catches up with them and it happens. One factor in that design that most seem to gloss over however is the Values that the system is based around and that's what we want to touch on in this post.

Values are an interesting topic, it's one of the areas I'm really passionate about and if you haven't read our blog posts on values then there are some links below, go read them, they will help you in your journey to a great ISMS.

Can We Talk About Your Core Values?
Communicating Your Core Values
Finding Your Core Values
When Someone Won't Live The Values

Value Alignment Is Important 

Alignment in any organisation is critical to its success, the more aligned everyone is, the clearer they are about the reason why the business and the processes exist the better they can deliver on things. The thing about the values of your Information Security system is that they shouldn't be different from your organisational values, they should be reflective of them and what they stand for. There may be slightly different words used in explaining the values with respect to information security but the underlying meaning and feeling linked to those values shouldn't be changed otherwise you create confusion and a disconnect between the system and the organisation.

What Values Does Your ISMS Reflect 

When you think about Information security what comes to your mind? Is it images of James Bond style secret agents with microfilms (or USB's) in their shoe, is it some bot stealing your data from a 1000 miles away or is it Dave in finance leaving his laptop and hand written notes of the last strategy meeting on the train? It's important to think about that as that will very much impact your approach and the values that your system reflects.

If you are thinking James Bond then it'll be pretty repressive stuff in terms of your approach, everything will be locked down so tightly that you'll end up doing retinal scans and blood tests just to get in the door and no one really enjoys that! At the other end when Dave has left everything on the train then again there are good ways and not so good ways to approach that. You can take a very big brother and draconian approach and that will almost certainly strike fear into people who wouldn't dare step out of line for fear of the punishment when something actually does genuinely accidentally happen and so drive everything underground and ensure nothing but the most serious issue ever gets reported or you can accept that people are basically good, will try to follow a system that is helpful and enabling and encourages openness to ensure everything that needs to be flagged is flagged and that people work with the system. Which one do you think works better?

If you build a system around things like honesty, fairness, trust and respect then people will respond to it. If you apply a caring approach to Dave when he walks into the office pale faced and nervous because the laptop and notes are still on the train then you will go so much further in having a great system because you have enabled people to take responsibility for things and for doing things.

Think about the Outcomes of Your System

When you are thinking about the foundational values and how you will put them across think about the outcomes you want from the system, you need it to be an enabler for the organisation but you also need it to help ensure the security of that valuable IP. Have a system that is ethical, treats the users of the system with some dignity and not as prisoners of it, helps and expects people to keep the promises that they make around it and that people take responsibility for the tasks within the system then you are going to have a great system

You are going to have a system that people will use, they will feedback into the system with improvements and they will respect the system and importantly use the system.

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better
Virtual Quality Management Logo
Our Virtual Quality Management Support is designed to help your company achieve improved results plus meet the requirements of any ISO Standard, but at a fraction of the cost.


© Many caps Consulting | All Rights Reserved

ISO27001 Principle 6 - Risk
ISO27001 Principle 4 - Management Commitment

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 26 October 2020

Captcha Image

By accepting you will be accessing a service provided by a third-party external to