ISO27001 Principle 4 - Management Commitment
Let's face it when it comes to any form of system, process or way of working the one sure that that will kill it quickly and drive staff morale into the gutter is lack of management commitment. We spoke about the need for this in depth when we looked at the requirements of ISO9001:2015 for Quality Management Systems and it's exactly the same requirement in ISO27001 for Information Security management Systems, the clue is after all in the name… Management Systems. Without top management being a part and a bit part of the system there really is no hope of it surviving and benefiting the business.
What is Management Commitment?
For a start Management Commitment is far more than just signing your name on the line or standing up and saying 'we are committed to this standard' that's just lip service and means nothing, it's all about actions.
Management Commitment is all about being knee deep in the system, understanding it's a living breathing thing that needed close attention and constant nurturing and improvement. It's about when you are talking to your staff on a day to day basis being able to reference back to the management system and demonstrating that it's applicable to what they are doing, it's about asking questions about how the team are working within the system and what the issues are that prevent them from doing it easily, then finding ways to support them in improving the system so it's simpler to use.
Anyone who reads our blog on even a semi regular basis knows that we are passionate about a lean approach to everything. One of the key fundamentals of lean is going to the gemba, where the real value is added. It means getting up from behind your desk, leaving every assumption you have there and going to where people actually do the work and ask questions in a bit to truly learn and understand what's going on. You can't do these Gemba Walks with a preconception of what you want to know, sometimes, just like an audit you have to follow your nose! You also need to be there on a regular basis, multiple times a week, not once a month on a Wednesday afternoon between 2 & 3pm.
By undertaking the walks and asking the questions with respect to how the ISMS is working within your organisation a few things happen. Firstly, your team know that it's important to you because you are asking about it, that means it becomes important to them, especially if it is a frequent thing and not a flash in the pan. Secondly by asking about how it is working for them you open the door to them to give feedback on ways it could be improved, which after all is a key element in any of your management systems and if you really are committed to the system growing and benefiting the business you must be committed to supporting and improving it.
Be Committed to your Stakeholders
Another part of management commitment is to your stakeholders both internal and external. Internally of you have your staff at all levels of the organisation, form the person at reception or the mail room (do they still exist?) to the finance team, HR team and your board of directors, you need to think about the impacts on each one of them. What are the needs of each individual group, are there things that conflict, if so how can you avoid that or live with it?
You also have external stakeholders to think about as well so you must also look outside of your organisation and think of the impacts there that your Information Security management System will have. Regulation is a particularly prevalent example with the level of change and international complexity involved there. Take the European GDPR (General Data Protection Regulation) where the requirements are pretty large and the consequence of getting it badly wrong are not small in the least. Add to that any local, federal or national regulations in areas you operate in and it can get tricky so involving those stakeholders and seeking advice is a smart thing.
Results of a lack of Commitment
I thought about this section a lot, did I really need to add it in or not. Unfortunately, however the reality is the vast majority of systems and processes fail for one main reason, lack of real management commitment. The failure of middle and senior management to talk about, support and be part of the management systems is one of the causes of business failure today. Companies still look to a few people to implement as system (we say implement but really we mean inflict in this case) then expect everyone to just get on board, or worse pull out the procedures only when something goes wrong, and we can guarantee without management commitment and thinking about your stakeholders things will go wrong, and typically badly. If your ISO27001 Information security Management system doesn't work then it's not just the odd email that goes out that shouldn't it's the potential exposure of every last bit of personal data, intellectual property and customer information to name a few that are on the loose and that's not a good thing.
Get In Touch
If you need any support in developing or improving your ISO 27001 Information Security Management System or ISO9001 Quality Systems we'd love to hear from you, just click here to make an appointment and find out how we can help you Make Things, Better
You can also call John on 0211649739 to set up a meeting
Virtual Quality Management
© Many Caps Consulting Ltd | All Rights Reserved