Part 5 - Incorporating management commitment and the interests of stakeholders
The next principle of ISO 27001 is to incorporate management commitment and the interests of stakeholders into your information security management system (ISMS).
Let’s start with the first item – Management Commitment.
All Consultants, Certification Body Auditors and Information Security Managers say that the number one key to having an effective ISMS is to have genuine management commitment. And they’re absolutely right. Management commitment makes all the difference to the success or failure of an ISMS.
But it’s not enough to just say that management is committed to the ISMS.
Putting a signature at the bottom of the information security policy, or making a PowerPoint presentation to staff several times a year, simply doesn’t cut it.
Management commitment to ISMS must involve an active, on-going set of behaviours. It’s about getting in front of your staff often. It’s about having a deep knowledge of the ISMS and how effectively it is operating. It’s about asking questions, and having the drive to keep asking questions. Management commitment is a willingness to regularly and honestly scrutinise the weak points of the ISMS.
Undeniably the best tool for making all of this happen is for Managers to go to the Gemba. I have blogged about this previously. As I said there:
“Gemba is a Japanese word which means “the real place”. The idea is that in order to know what is actually going on in your business, you need to spend time where the real value is added, such as the factory floor, the hotel reception desk or the construction site. You need to be at the coal-face, and you need to be there often.”
When a Manager is at the coal-face they should question things with their staff and ask how the staff interact with the ISMS. They should never go to the Gemba to discipline staff. Instead, the aim is to gain a true understanding of the ISMS. With true understanding comes deep knowledge. Take your lead from honorary Toyota chairman, Fujio Cho who said “Go see, ask why, show respect”. I realise that a Manager’s time is important. And for that very reason going to the Gemba should be the most important 30 minutes of a Manager’s day. I can’t recommend it strongly enough.
Now let’s get into the second item in the principle - interests of stakeholders.
When developing and implementing your ISMS you should always consider the stakeholders, and there are many - Staff, Managers, Directors, Shareholders, Customers, Suppliers and Regulators. Each of these parties has an impact on your business, so it is wise to take in account each group’s needs and expectations regarding ISMS.
Your ISMS should not be just be inward-looking. Your ISMS is subject to external forces, so your focus should also regularly fall on factors outside the organisation. Take Regulators, for example. Legislation and regulations are being developed all the time, and indeed from May 2018 the new General Data Protection Regulation (GDPR) will be enforced in Europe, but felt world-wide. The information security requirements around the GDPR are numerous and the penalties for non-compliance are astronomical. Failure to take into account the local, state, federal and national regulatory requirements could potentially be extremely costly to your business. Make sure you look at what your organisation is doing internally, but also remember to take a good hard look at the wider picture.
Failure to put both management commitment and the interests of your stakeholders at the forefront will mean that your ISMS is unworkable, putting your business at grave risk. The good news is that making a priority of management commitment and the priorities of shareholders will give you a robust, strong and nimble ISMS. And who doesn’t want that?
View previous blogs in this series "ISO 27001 Information Security Management Standard":
ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls
ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the Need for Information Security
ISO 27001 Information Security Management Standard: Principle 3 - Assignment of Responsibility for Information Security