ISO27001 Clause 4.4 Information Security Management System is a small 2-line clause which does not look like it should really matter, it says:
The organisation shall establish, implement, maintain, and continually improve an information security management system, in accordance with the requirements of this international standard.
Great, easy, that's' what we are doing right? Yes, but there are a couple things to think about before you just tick this and move on.
Stand-alone VS Integrated
The first thing to think about is how you want your ISO27001 ISMS to live, do you want it as a standalone system within your organisation, another manual that people have to wade through or do you want to integrate it with something else?
For example, if you already have ISO9001 or 14001 or even 45001 then it makes sense to integrate the requirements of the ISO27001 standard with your exiting document. (hint you should have already integrated those other standards into one document as well)
You can do this because all of these standards conform to the same higher-level structure that ISO is using:
- Scope
- Normative references
- Terms & Definitions
- Context of the organisation
- Leadership
- Planning
- Support
- Operation
- Performance
- Evaluation Improvement
This is the new ISO High level structure, it's the list of headings that all new ISO standards are meant to follow and allow for a more integrated way of working going forward.
This is by far the best way to do it, you can go through your ISO9001 / 14001 / 45001 system and look for where you need to include or expand the scope to include the requirements of your ISO27001 system.
Of course, you do have the option of just creating a stand-alone system and obviously if you don't have any of the other standards that's what you have to do.
Map it Out
Think about the list of things that those 2 lines have in them and then think what work you need to do in order to ensure you achieve them, it's not a small list of things, here's a bit of an example:
- Establish – a quick dictionary check tells us that this is to " set up on a firm or permanent basis" so you could argue that's just the process of actually creating all of your processes, procedures, instructions, in fact everything involved in getting up and going.
- Implement – people get confused here, surely, it's the same as establish right? Wrong, implementing is the act of actually rolling out so it's about how you train your people to use the systems and get them on board with it, there's as many ways to do that as can think of and you need to do what is right for your organisation, just don't inflict is on them, by that I mean ensure that they are part of the establish process before the implementing and as you train make sure to explain why it's important.
- Maintain – maintaining your system is about making sure it's always up to date, that you are referencing the right standards or legal requirements and the best practice approaches.
- Continually improve – You don't want your system stagnant as it's essentially going backwards in that case and it also means your people are not engaging and using your system. You need to be able to demonstrate that your system is evolving, improving and making a valuable contribution to the company (and not acting like a boat anchor)
For each of those areas you need to map out how you are going to involve your team in the process along with any other stakeholders that you think need to be involved and because you just completed clauses 4.1 & 4.2 you already know who needs to be involved in the discussions.
So there you go, ISO27001 clause 4.4 in a nutshell , those little 2 lines are a little bit more than you thought.