Part 41 - Getting Certified to ISO 27001 – You're Certified.
After many thousands of hours and plenty of hard work, you have created, established and are maintaining your information security management systems (ISMS). Subsequently your ISMS:
- Has been audited by a Certified Body (CB) in two stages (Stage 1 and Stage 2)
- Is certified and a new ISO 27001 certificate on the wall at reception, and
- Has been celebrated with a big party or a couple of biscuits at a morning tea.
Therefore … job well done.
Don’t Rest on Your Laurels
Well, for one thing you don’t do is rest on your laurels. Don’t think that the job is over and done with.
More work is required to make sure that the ISMS keeps adding value to your business.
You may have spent thousands of dollars on consultants and the CB external audit. Plus you have spent time on the systems, this will be a cost to the business. Therefore, your Management Team and even your Board maybe looking at you, the Information Security Manager, and asking “show us the money” or “where is the return on our investment in an ISMS?”
Therefore, you need to show pay-back. How do you do that?
Your ISMS Needs to Show Pay-Back
Well you need to work hard and measure the value-add to your business. This requires foresight and planning ahead.
Think about the areas of your business where the ISMS has helped to reduce costs.
In addition think carefully where the ISMS could have been used to reduce waste.
Finally ask the sales team and see if they have won extra jobs from your organisation being ISO 27001 certified.
Add that value up and present it to the Management Team or Board to prove that getting certified wasn’t a waste of time.
Review Your ISMS
What else should you do? Well for one you should be reviewing the ISMS regularly.
For example, one thing we are doing here at Mango is to have all our employees attend the monthly Management Review meeting. In that meeting we talk about the adequacy, effectiveness and value the ISMS is bringing to the business. We discuss the objectives in detail and look at the results against the objectives.
You need to keep improving and updating your ISMS so that it remains effective and keeps adding value to your business.
You need to demonstrate to Management that the ISMS is not a time suck and that it makes their job easier.
Winning over Management will mean that the ISMS will have longevity.
- Start measuring the pay-back of your ISMS.
- Present the results to Management and the Board.
- If the ISMS is adding no value to the business stop doing it.
View previous blogs in this series "ISO 27001 Information Security Management Standard":