ISO27001 – Information Management is more than just IT systems
When organisations start thinking about information management and the security of that information they automatically look towards their IT and typically the CIO or IT Manager gets the call and told to 'secure it', because it's that simple right? Wrong! And wrong in a number of ways.
Information is all around
Firstly, it's important to not think about ISO27001 as an IT requirement, there are certainly elements in there but it's not exclusively that. As we mentioned in our initial post on ISO27001 the organisation needs to understand what information really is, especially within its own organisational context but within the world at large today. Consider your last operations meeting for example. Did your team bring a printed set of minutes? What about reports? Did they take notes in a notebook they carry around with them, you probably projected information onto a large screen, maybe you even wrote stuff on the white board. Now when you left that meeting, you will have switched off the projector and the PC used will either be switched off or hopefully gone into sleep mode and need a password to log back in, great all your information is secure right? Wrong. How many copies of the agenda were left on the table? Did you wipe off the whiteboard? Worse still, does your whiteboard face a window that isn't screened? Did everyone take their notes with them, when you return to your offices is it just left on your desk?
You see information is device agnostic, it'll be in the print outs you have, the reports you read, the whiteboards you write on, the charts you put up on the wall the notebooks you use. None of those things would be remotely covered by the IT department. When Bob accidentally leaves his phone or his laptop or tablet in the back of the taxi, IT can Geo-locate it with the software they have installed and most probably wipe it if needed, if Bob leaves his handwritten notebook or board papers however, well that's a whole other issue.
Also think about what's sitting on your desk, is it a clean desk or are there mountains of paperwork, charts, finance reports, proposals and notebooks there. It's on your desk, it's safe. It possibly is, except that you may have cleaners pop in to clean your office, should they see this, what if they take it with them? What if an employee sees something that they shouldn't and shares that with their friend at the pub and your next big thing is suddenly, well not so big?
Information is information, its on paper, its on smart devices, dumb devices, chalk boards white boards, charts and notice boards, it really is all around us, so your Information Security policy needs to consider all of it, not just the cleaver IT stuff.There are various ways to do this and we'll cover that in some of our upcoming posts.
Information is about more than things
Don't forget that when it comes to information, the information you hold on your people is also critical. Many countries have privacy laws which would prohibit the release of personal information, but what if it were stolen? Or just inadvertently made public? Things like personal addresses, emails, bank accounts and other HR related information like performance, pay levels, disciplinary information and so forth need to be thought of as well. There is information in peoples heads, those key scraps of institutional knowledge that only certain people know that keeps things ticking along, these and many more things must be considered as part of the process.
The Value of the Information
From a Market value point of view what would happen to your organisations over all value, the share price if it were to be make public or acquired by someone who shouldn't have it. Would your ability to raise cash be impacted, the ability to pay your staff?
ISO27001 doesn't distinguish between information sorted electronically or physically, it's all information. Equally it doesn't care what that information is about, it could be people, it could be products or processes or systems, it doesn't care. The standard only cares that you have decided what your information is and what controls are in place to manage that information and its availability.
Next we are going to talk about some principals that underpin the ISO27001 standard that will help you on your way to thinking about things a little differently.
Get In Touch
If you need any support in developing or improving your meetings then click here to make an appointment and find out how we can help you Make Things, Better
You can also call John on 0211649739 to set up a meeting
© Many Capos Consulting | All Rights Reserved