ISO27001 – Principle 2 - Awareness
I often ask people I'm working with, "if you want to fix something, to improve it, then what is the 1st thing you have to have in order to be able to do that?" I get all sorts of answers usually most of these resulting of spending a lot of money, which seems to be the default approach – there's a problem lets spend money. The real answer is actually very simple and best of all it's largely free. If you want to fix something or improve it you must first know there is a problem, a gap, so creating awareness is the key. Awareness about what is expected and if there are processes available to use or if something new needs to be created. It's the same with your Information Security management System, one of your most important tools is the ability to create Awareness.
What is Awareness?
It sounds silly to ask that question but actually again it's really important that the entire organisation has the same understanding of what things mean.. they have awareness about what awareness is! Talk about Chicken and the Egg situations!!!
Thankfully there is a ready-made definition that you can fall back on and it's really helpful because it comes from our friends at the International Standards Organisation (ISO) in the form of the ISO9001 Quality Management Systems Fundamentals & Vocabulary document where they specify exactly what awareness is, and it's a pretty good definition I have to say: Clause 18.104.22.168 of the document says: "Awareness is attained when people understand their responsibilities and how their actions contribute to the achievement of the organisations objectives"
To be honest, if you did nothing else in your organisation but focused on achieving just that one line then your organisation would be incredibly aligned and a pretty great place to work!
How do you get Awareness?
Remember that we are talking about awareness of your ISO27001 Information Security Management System here so its important to focus on the awareness of that system but the principles remain the same and again you can tick off a lot via steps in the ISO9001 Fundamentals & Vocabulary document just by working through 2.2.52 from Genera, People, Competence and communication since that's what it's all about.
Let's start with Competence, being competent generally means that you have had some training on something and that you have been assessed on it by someone else who is competent, simple right? So that means you need something to train and assess against which is where your procedures, information security protocols and system training come in, as you train people don't forget to sign them off in your HR system to provide the evidence that they are competent based on your assessments.
Be Clear about Responsibilities
What about when you hire someone, why not ask them then if they know anything about Information Security, if so, how much, is that knowledge linked to previous systems or is it based on ISO27001? What were they responsible for under that system? Obviously once you hire these people you will cover your own system and protocols within your own induction processes being clear what the requirements are and the individual responsibilities within those systems (again recording this in their HR Profiles)
For those already working for your organisation you need to ensure they are also clear about their responsibilities within your Information Security management System, what are they responsible for both directly & indirectly, who should they escalate things to who gets notified when they think there has been a breach?
Your conformance to your ISO27001 Information Security Management System should also be one of the things that is discussed come review time, and be included in a refresher program, or when there are system changes again ensuring that people understand what their part of it is.
Make People Understand their Part in the Picture
So now your people all know what their responsibilities are, and you have accessed them for competence, your done right? No not quite. You also need to make sure they fully understand their part in the full Information Security management framework, how do their actions support the systems you have put in place, how they support you in maintaining a high level of information security and in meeting your system objectives after all failure to meet your objectives or maintain the required information security can have serious consequences for your organisation and those within it so it's important people are clear on that as well.
Clear away Silos
There is no point only the IT team or HR team knowing there has been a breach, the senior management team don't then it's a bit of a problem. Each department worrying or thinking only about themselves cannot happen in today's interconnected world, a security breach or failure to follow your information security management policies in one area impacts everyone and needs to be communicated quickly and correctly to the right people, you need a process for that!
Continuous Improvement and Continuous Training
No system is ever perfect, and no one can ever remember everything so it's important to ensure that everyone is aware that the expectation is to look at how they can continuously improve your systems, which means they have to know and use them. Part of the steps to help this is to ensure that there is regular training and retraining on the systems ether because it's been a while between training sessions or because something new has been launched.
Your documented policies and procedures will be a bit help here, it's not enough to have them on a shelf or better yet on your integrated Quality Management System sitting in the cloud, people need to know they are there and they need to be using them and be reminded of them.
Integrate into Business as Usual
All too often systems like ISO9001 or ISO14001 get side-lined as add on systems, if your organisation is guilty of this then there is no reason to suspect ISO27001 will be any different. Yet it doesn't have to be, by integrating these systems into your existing processes, existing management meetings and assessments or reviews it becomes business as usual. It becomes easy to keep up to date and be aware of your system and for the system to actually add value to your organisation.
It Never Stops
Information Security is always going to be a challenge, how we use information, the speed we consume it and the type of information continuously evolves along with the risks associated with managing it. Being clear about these risks, documenting them, managing them and ensuring that your organisation is aware of the risks is a big first step towards a great ISO27001 Information Security Management System
Get In Touch
If you need any support in developing or improving your ISO or Quality Systems we'd love to hear from you, just click here to make an appointment and find out how we can help you Make Things, Better
You can also call John on 0211649739 to set up a meeting
Virtual Quality Management
© Many Caps Consulting | All Rights Reserved