ISO 27001 - The Real Cost Of Success
So you have climbed the mountain and your organisation has now achieved ISO 27001 accreditation. At this point many organisations realise they have significantly underestimated the amount of effort required to effectively manage their information and cyber security management program.
Even after gaining accreditation many organisations are still reliant on informal processes based on spreadsheets and the diligence of people to track and report on compliance.
While the implementation of ISO 27001 will hopefully result in a more rigorous process for managing information security, translating this into action often imposes new overheads on managers and their teams, across IT and the business, that have been assigned responsibility for managing the integrity of individual controls.
These activities include the execution of specific compliance checks, collections of evidential proof, identification and remediation of non-compliance, and ongoing reviews of effectiveness and performance.
In many situations the man effort required for consistent execution has neither been anticipated or budgeted for across all of the departments in the organisation that have to play a role in the new processes.
Because of the delegated nature of these activities, CISO’s and Security Officers, with overall responsibility for the program, struggle to consistently coordinate all of the actors in the process, making sure that everyone does what they are supposed to do when they are supposed to do it. Human nature along with competing pressures of work have a major influence here - some people are naturally more disciplined than others; they may also execute well at certain points in time and poorly in others.
The informality of process orchestration, manual checks and disparate kit bag of tools that are used to track and report on compliance of individual controls (spreadsheet often play a big role here) is also a hinderance to progress.
Objective measurement is critical in establishing a true picture of an organisation’s security posture, along with evidential proof, to inform IT and business stakeholders where investments are required to deliver ongoing improvements, as well a satisfying ongoing audit requirements. One could argue that without objective measurements in place, businesses expose themselves to unnecessary risks – how can you objectively prove that you have improved if you can’t measure the before and after?
These types of challenges are not alien for other areas of the business that have to manage complex business process and there are many examples where software has been applied to streamline the orchestration of the process. Finance & Accounting, Sales, Marketing, HR and IT Operations are just a few examples.
From my own experience of managing network security for one of the largest banks in the world I have lived the challenges of implementing a rigorous security compliance program first hand. It was clear to me back then that there was a need for domain specific software to streamline and automate the overall process, and this ultimately led to the work we are doing at Caveris today.
If you would like to learn more about how to address these challenges check out our explainer video https://www.caveris.co.uk/post/caveris-explainer-video.