It's easy to think that when something is called Information Security that it only relates to the 'Information Technology' Department of your organisation, it's a common mistake that many people make. They believe, wrongly, that the IT geeks will have this all taken care of and it's not something for their department or their people to worry about, there will be a software solution for it and that's it taken care of.
It often comes as a shock to people when we explain the true meaning of information which is that it is nothing more than data or knowledge that is used in the organisation and passed around (or held secure), it has nothing really to do with IT other than that a computer or a server or a phone may well be the medium the information is held on. It may well equally be a bit of paper, a whiteboard, someone's head or even a post-it note, ISO27001 for Information Security management doesn't care about the medium or the department, it cares about information in all it's guises and locations.
Information Security then, is something that involves Everyone and Everywhere in your organisation (and clients / suppliers for that matter).
Information is Everywhere
It's possible that you are still sceptical about this idea that Information Security isn't just about your IT department and that it's up to them to fix it, let's have a quick look at Annex A of the ISO27001 standard (as an aside if you need more information or detail of the points in ISO27001:2013 Annex A have a look at ISO27002:2013 which gives you the detail breakdown).
Here are a couple of our favourite examples that we pull out for organisation when they try to put it all on the IT department:
Human Resources (Prior to Employment)
| Annex Clause |
Section | Control |
| A7.1.1 | Screening | Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. |
| A7.1.2 | Terms and conditions of employment | The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. |
Human Resources (During Employment)
| Annex Clause |
Section | Control |
| A7.2.1 | Management responsibilities | Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. |
Human Resources (Termination or Change of Employment)
| Annex Clause |
Section | Control |
| A7.3.1 | Termination or change of employment responsibilities | Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. |
Security
| Annex Clause |
Section | Control |
| A11.1 | Physical security perimeter | Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information |
Purchasing / Supplier Management
| Annex Clause |
Section | Control |
| A15.1.1 | Information security policy for supplier relationships | Information security requirements for mitigating the risks associated with supplier's access to the organization's assets shall be agreed with the supplier and documented. |
Information is about Everyone
While the IT department will definitely have work to do for ISO27001, so does HR, Engineering, Security, Purchasing, Logistics in fact everyone within the organisation has requirements to meet when you are creating your Information Security management System to meet the requirements of IOS27001.
If you are going to create and of course maintain an Information Security Management System (ISMS) that is going to work for your organisation then you need to involve a range of people for a range of areas to be involved in designing and implementing the system so that it really does work for your organisation, don't try and cookie cutter it from previous organisation you have worked at! You need to take a comprehensive and inclusive bespoke approach to your ISMS.
Beware the Document Mountain
While we are stressing that you need to have a range of people involved in creating your system and making sure you have a comprehensive ISMS that doesn't mean you have to build a mountain of documentation, in fact it's critical that you don't. If you create a 700-page Information Security Management System document absolutely no one is ever going to read it and your system will not work. That is in fact the opposite of getting people involved.
Consider the whole organisation, consider what they need and how they work, what information is there and the type of medium that is applicable across your organisation and create simple to use policies that are universally applicable where possible. Do not look at this as a technology project to create your ISO27001 Information Security Management System, technology is there, we all walk around with mini super computers in our pockets disguised as phones but the real information we need to think about and manage is all around us, on desks, in heads, on walls and white boards.
Keeping it simple and easy to understand and follow means your ISO27001 system will be used, not gathering dust on a shelf or sitting on a server never to be found again.