Anyone who reads any of our blogs understands that continuous improvement runs through the DNA of the entire site, we live and breathe continuous improvement so it shouldn't be a surprise that we consider it a key principle of any ISO27001 Information Security management System. The expectation of continuous improvement doesn't just come from us however, Mr ISO also have an expectation of it as well (spoiler alert clause 10 of the standard is called… Improvement but we'll get to that later on.
Nothing stays the Same
Life is always changing; technology advances and attitudes change and adjust. Just look where we are now with most of the world in lock down with COVID19 how many organisation that thought they would not never let people work remotely now find themselves, well, working remotely? This should of course force a review of the Information Security management policies or organisations, some will have done it and unfortunately some won't, and that's understandable at the moment but it can't be delayed for long.
In the IT side of things there are always new challenges, new viruses, hacking attempts and of course new ransom ware attacks. Some are very simple to protect against, just monitor your Microsoft, Google, Apple or anti virus software account updates and they will keep you in the loop on these things and ensure that patches are available as you need them so you need to patch often. To do this however you need to be doing something important, you need to be consistently reviewing your processes, systems and risks and continuously taking steps to improve them as often as you reasonably can. Getting hit with a Ransom ware attack it not a good thing, getting hit once may be unfortunate, and should certainly spring a review of your processes to look for the improvements you need to make, getting hit a second time, that's not unfortunate, that's something else… although to be fair there are some that just can't be defended against.
Remember, however, that your ISO27001 Information Security Management System (ISMS) isn't just limited to IT systems, it's about information after all. So again, in times you change you need to reassess what information is now floating around that wasn't and in what format. Again, using the COVID19 situation as an example, think about all the paperwork that is floating around in people's homes that wasn't there before. Is it secure? If it needs to be destroyed securely how is that achieved remotely?
Assess and Reassess and get Better
You shouldn't wait for a pandemic to strike to force you to review your ISMS processes, you should be scheduling these on a regular basis and it needs to be comprehensive enough that it's going to cover the range of risks and vulnerabilities that your organisation is going to be exposed to.
Out of each review there should typically be actions taken (otherwise it was a pointless review), it would be very unusual to carry out a full in-depth review and leave feeling that nothing can be improved! Your reassessment should be based on what is happening not just in your working environment but also around changes in international standards or legislation, in NZ for example the final readings of new privacy act have been underway and this will pass to law soon requiring additional items in your information security processes, this would need to be included in policy and processes within your systems.
Check Often and Check Wide
Carrying out internal audits on a regular basis is the best way for you to ensure that your ISO27001 Information Security management Syste Save Draft m is doing what it should, not just because the standard says you should but because you will really benefit from it. When I say wide, I don't mean to suggest that it should be a cursory glance at things, you need to check in depth but you need to be casting your net across the entire organisation and multiple levels to ensure that everyone is following your processes and to identify the processes that just don't work, that aren't practical and to fix them, that's the continuous improvement part of the process coming in to play again. Auditing once a year or just prior to an external audit is of no use, you need to do them on a regular basis and review on a regular basis if you want to sustain the improvement activity and remind people that your information security management system must continue to evolve but it can only do that with their help. Just remember to send an auditor who actually knows what questions to ask for that area, there is no use sending someone out to audit your ISO27001 system if they have only got experience auditing your finance systems for example. Yes they will have auditing skills but they do need some knowledge on this side of the process if they are going to truly add value.
The Round Up
Your ISO27001 Information Security management System has to continually improve and evolve as technology and the way and we work and the places we work continue to change. Regularly auditing and updating your systems are critical ton it's continued success and using people internal to the organisation who understand the processes and can check them regularly is critical, but it's only useful if they actually find out what doesn't work and then you take action to improve those sections.