For
raising awareness this is good place to start to work on at the management
levels, as high as you can go. There are several ways of actually doing that,
such as:
• Directly working with your senior
security contacts/friends, including colleagues in risk, compliance, legal, IT,
facilities, Internal Audit. They already
have some awareness of information security but may be unfamiliar with ISO 27001
and ISMS concepts, and may have the rather narrow IT security perspective.
• Drawing up strategies and plans for
the ISMS, linked as explicitly as you can to corporate strategies and plans.
The closer and more obvious those linkages, the harder it will be for
management to resist the need for security in support of the business. Work
hard at this - it will pay off big time in the end, trust me.
• Work with Finance on business plans,
cost-benefit analysis, budget proposals or whatever it takes to get sufficient
resources for the ISMS, both initially at the design, development or
implementation phases and long-term for ongoing security operations and
maintenance of the ISMS. Without sufficient resources, the ISMS is doomed. This
is largely a matter of prioritization relative to other business activities and
initiatives, so you will have to negotiate timing and funding in the business
context - which means you need an appreciation of what else is going on.
• Mapping communications and power
relationships in your management levels i.e. the informal structure chart for
management the formal organogram that HR
puts out, but the one showing who really wears the trousers, who they
consult/rely on - possibly even a RACI-type chart and psychometrics if you have
the knowledge, energy and access). This can help you understand your
audience/customers better, communicate more effectively, and develop an uncanny
ability to get your way. It can also help you identify and deal with any
blockers. Validate your findings and assumptions with one or more friendly
managers.
• Working with your team that is the
information security people, help-deskers, security architects and others to
formulate plans and approaches, and exploit their business contacts where
possible. Implementing formal ISMS is a change management activity for the team
as a whole - not something for the lone ranger.
• Launching some basic strategic or
management-level metrics, such as maturity scores against the recommendations
in ISO 27001 and ISO 27002, section by section in only as much detail as you
need to make the numbers meaningful to management.
• Finding and exploiting opportunities
to tackle security pinch-points, longstanding security issues that have caused
problems for the business. If you can resolve some of these in the business's favour,
you will make friends. Make sure to take notes and use these situations as
examples illustrating the new approach you are taking.
• Setting up regular briefing sessions
with relevant managers, leading in to and supplemented by ad- hoc security
briefings and workshops for management meetings (including the ISMS Management
Reviews formally required by ISO 27001 section 9), committees, teams or groups
on security and risk-related matters. Engagement is the underlying aim, which
means both informing them and drawing them along, motivating them to support
your efforts and helping them with whatever they/the business needs from information
security.
• Tackling any outstanding audit issues
of relevance to information security, and starting to build up your 'stock' of
security anecdotes, incidents, policies, procedures, briefings.
User questions & answers