ISO 27001 Information Security Management Standard - Principle 5

Posted by Craig Thornton

Part 6 - Enhancing Societal Values

This next principle of ISO 27001 is very interesting and requires some serious thought – it’s the fundamental principle of enhancing societal values. 

Following this principle will contribute greatly to the successful implementation and maintenance of the information security management system (ISMS) in your organisation.

Closeup businesswoman hands holding white card sign with core values text message isolated on grey wall office background. Retro instagram style image

The values that you should consider enhancing may be:

  • Honesty – being genuine and ethical
  • Fairness – being equitable and just
  • Respect – treat people with dignity
  • Trust – keep your promises
  • Caring – listen and show kindness
  • Courage – take responsibility for tasks

This is not an exhaustive list, nor is it a compulsory one.  These values are just a starting point.  You may already have some of these values, or you may have different ones.  If you have no values written down, then now is the time to start.  You’ll need to do your own research and come up with values that suit your business.

Let’s take a look at some famous organisations and their values.

Firstly, "Don't be evil" is the motto of Google's corporate code of conduct, and was first introduced around 2000.  In 2015 Google's owner, Alphabet, adopted "Do the right thing" as its motto.

Next up is Apple. Its core values are: “We believe that we're on the face of the Earth to make great products.  We believe in the simple, not the complex.  We believe that we need to own and control the primary technologies behind the products we make.  We participate only in markets where we can make a significant contribution.”

Next is Microsoft.  From its website its values are listed as: “Innovation, Diversity and inclusion, Corporate social responsibility, Philanthropies, Environment, Trustworthy Computing.”

Finally, let’s take a look at Amazon.  Its values are: Customer Obsession; Ownership; Invent and Simplify; Are Right, A Lot; Hire and Develop the Best; Insist on the Highest Standards; Think Big; Bias for Action; Frugality; Vocally Self Critical; Earn Trust of Others; Dive Deep; Have Backbone; Disagree and Commit; Deliver Results.

So you need to determine your company values and how they will enhance society.  If they diminish society, then now is the time to upgrade them so they will enhance society.

These values are expressed typically in a mission statement and/or a values statement.  Your ISMS should reference this statement in such a manner that you will abide by and obey these principles.

Two things are important to note here.  First, it’s very important that you get these values right.  The values need to actually be important to your organisation, and not be plucked from a focus group or adopted because they make a good sound bite.  In the long run these values will influence everything your business does.  You’re going to be working with these values in some way every single day so they need to be something you believe in and can back up with action. 

Second, it’s very important that you do more than just pay lip service to your societal values.  If you get them wrong - and there has been a great deal of discussion lately around some of the organisations I’ve listed and their less-than-stellar corporate tax behaviours - and they don’t fit the business’s culture then you can kiss goodbye to an effective ISMS. 



View previous blogs in this series "ISO 27001 Information Security Management Standard":

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the Need for Information Security 

ISO 27001 Information Security Management Standard: Principle 3 - Assignment of Responsibility for Information Security

ISO 27001 Information Security Management Standard: Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders


Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification