ISO27001 Leadership and Commitment

How many times have you heard people say that it is one rule for them and another for the management? It is certainly the fastest way to kill not only the morale at your company but also the systems that you are trying to use. That is why ISO27001 Clause 5.1 is all about the requirement for Leadership and Commitment, they are codifying the need for management at all levels to set an example and do what they need to do to ensure the system meets the need of the organisation and that everyone (especially them!) are using it.

Having good Information Security management Systems in place is increasingly becoming a major requirement for companies, in fact it is quickly finding its way into RFQ documents in the same way ISO9001, ISO14001 or even ISO45001 has. There is a never-ending stream of director and business surveys that are rating information security as their number one or two concern or threat to their organisation so it's time to walk the talk.

The Requirements 

Remember that the standard outlines the minimum requirements, i.e. you need to do at least this to reach the standard, you can do more and you need to decide what the right thing is for your organisation but lets talk about the requirements of Clause 5.1 Leadership & Commitment of ISO27001.

It starts off with the key statement "Top management shall demonstrate leadership and commitment with respect to the information security management system by;". Remember in ISO language shall really does mean shall, you will do it, it's not optional. That mean that the auditor is going to be looking for evidence of top managements involvement in the process and their interactions with the system and the people as well. They will be looking for proof that you really are showing leadership, so don't be surprised if they ask your staff if they think you are showing leadership and commitment to the ISMS!

They have listed 8 items to give you some clues as to what good leadership and commitment might look like, again this is the minimum amount so don't be shy go further!

a) Ensure the information security policy and information security objectives are established and are compatible with the context and strategic direction of the organization

Lead the process of developing the policy and the objectives of the Information Security Management System to ensure that they line up with the needs of the business and the strategic direction you are taking. The objectives should add value to your organisation, be prepared to demonstrate this. Don't forget that part of establishing them is just the start, you need to use them and communicate them.

It's absolutely critical that the Information Security Management System isn't something that stands off to the side of your organisation that you need to tick the box to keep alive. You need to have it ingrained in every facet of your organisation and be a key part of everyone's objectives and way of life, including yours as a Senior or executive leader. It should be in your day to day thinking so it's just part of how your organisation operates.

It's not a case of it's all on the Quality Manager of your IT Manager's job to look after your ISO27001 System the leadership team need to ensure that they have included in their thinking the amount of time required to adequately run the system across the business. That means you need to think about how much time your staff will be involved in the system, what tools, equipment, what software, what training, documents and support systems are required. Once you think about this you need to ensure you fully resource it so that it's going to be a success and not over stress the people and the system. The reality is if you integrate the processes into your culture it actually saves you time. Things like always cleaning off a whiteboard before leaving a room means it's ready for the next person, having a clean desk means that you don't have to rummage for hours looking for the bit of paper that was defiantly where you left it (it never is!).

We have said it already but it's so true and so important, as leaders you have to walk the walk and talk the talk every chance you get. You need to be the shining example of what an individual engaged and supporting your ISO27001 management system would look like. This includes coaching conversations with anyone within the organisation that you have the opportunity to speak to, team briefs, quarterly state of the nation discussions, performance reviews and of course personal objectives. The steps you take for a good ISMS should just be part of what you do every day without thinking and be ingrained in your leadership team.

What is the point of having a process or a system if you don't validate the outcomes, you need to know if it's delivering what you designed it to deliver? That means you actually need measurements for your system in place and these should be at both business and individual levels and they should be meaningful not tick the box items since that would not really show real leadership would it?

This is about building real engagement of the system and ensuring that your people feel supported to follow and improve the system hence making it effective. There is no point in them making do or trying to work with a system that makes work hard to do, they will 100% find a work around that breaks your system if it is just too hard. This means that there is no process within the system above reproach, if it's a bad process it's a bad process and you need to improve it, that's part of the deal with Iso and continuous improvement. If you want your team to engage with the systems let them mould and shape them so they work.

This goes hand in hand with the previous requirement really but you absolutely have to ensure that everyone knows that your processes and systems are not set in stone, they can be improved and you want them to help do that at every opportunity. Promoting improvement is about celebrating all steps forward, but as importantly celebrating those steps that didn't work but nevertheless were attempts at improving the system. Why? You need to encourage the belief that it is ok to not hit the mark if you are attempting to improve, that way people will keep trying.

The great thing about your ISO27001 Information security management System is that it's a team event, remember we stated previously, it's no longer Ok to drop it on your IT or Quality manager & walk away, everyone is involved. That means as a Leadership team and the CEO you all must pull together to ensure that the processes and principals of the system are embedded in every department and are of the organisation. That means providing each other with the resources and support needed to do that.

Summary 

Demonstrating leadership and commitment to the Information Security management is not hard, you just have to believe that it's important and will provide your organisation with a benefit. If you think about the risks to your data, your IP and your bottom line its hard in this digital age not to think that clearly, information security is important. Encourage your team to be advocates for it, work with them, educate them, remind them that the system is about protecting the organisation and ultimately them from others gaining access to information they shouldn't but it should be easy to use, so if it's not then it's up to them to also show leadership and commitment to the system and change it!