Overview
Practical experience from numerous of ISMS implementation cases in Sweden and internationally, as well as knowledge gathered during the development of ISO/IEC 27003 have shown us that there are several different motives for organizations wanting to have an ISMS based on ISO/IEC 27001:2013.
These motives vary from case to case and are key to take into consideration to have successful implementation of the ISMS – implementation that not only will fulfill the requirements of the standard but will bring practical business benefits for the organization and by that the long-term positive effects of having an ISMS.
Internal interested parties have different motives for an ISMS
Implementing an ISMS is a decision that has to be made by the Top Management, but that decision has a background of what different roles see as the benefits. In some cases, there is a single driver and in other cases there is a combination. Generally, it is good to make an inventory of these motives and expectations and get an understanding on how they will influence both the priorities that may be necessary for implementation as well as the long-term use of the ISMS to meet this expectation – early on in the implementation case. This might be seen as a challenge for the CISO but is really an opportunity to anchorage the ISMS in the organization and use it in the daily operation.
Explanation to the roles in the figure and what they represent as internal interested parties regarding information security and an ISMS:
- Top Management –person or group of people who direct and control an organization at the highest level. In a smaller organization this is often the CEO and in larger this is often a group, a management team.
- MS standards – a person or persons that are working with other ISO management standards such as ISO 9001, ISO 14001 etc. This role is normally applicable to larger organizations, but the perception may apply to smaller organizations as well.
- Business – a person or persons that are responsible for different functions within the organization such as sales and marketing, HR, legal, procurement etc.
- CISO – Chief Information Security Officer – The person holding the ISMS together and reporting to Top Management according to requirements in the standard. This role may vary in an organization depending on the size and type of business. During an implementation case, this role may be new.
- Technology – a person or persons that are working with ICT from a technical perspective. This role is valid especially if the organization manages ICT inhouse. The role has an understanding and/or knowledge about ICT security and may be a CIO and/or ICT security expert.
The main consideration to understand and address
The CISO and Top Management have their motives to make the ISMS useful for the business, but the other three roles may have a very different perception of what an ISMS based on the standard is or what it shall focus on. The CISO should use this to ensure that their understanding is correct and that the ISMS will contribute to their objectives and by that also fulfilling the Top Management expectations. The main implications for these three roles are listed in the table below with the principal differences overstated to make the issues clearer.
| Role | Pre-perception | Pre-focus | Address to change the perception and adapt focus | Outcome/contribution to the ISMS |
| MS standards | ISO/IEC 27001 is a management system standard (MSS) like all others ISO MSS standards. | Documentation and Management review activities. | ISO/IEC 27001 is not based upon documentation as it is risk based and has a link to controls. The linkage to controls cannot be handled by documentation but by a risk management process. The management review for an ISMS may require more engagement from the Top Management as risk status has to be reported. | The documentation made by the organization for other ISO MSS may need revision and new documentation is needed especially regarding risk. The management review may not be a meeting as for the other MSS. Aligning ISMS management review to the overall annual business planning is better. |
| Business | ISO/IEC 27001 is a set of rules that are either fulfilled or not. It is handled by the CISO (security organization). | Compliance so that the standard helps to align with legal or contractual obligations. Makes interaction with other parties easier. | ISO/IEC 27001 is not a check list and involves the whole organization which means that activities and especially risk assessments should be made by the business and decisions are made by risk owners and not by the CISO. | An ISMS is for the business and should be aligned by involving the business. It can be supported by the CISO but many of the actual decisions and activities are not made by the CISO. The standard cannot ensure any other compliance than against the standard itself but may address a lot of legal and contractual issues. |
| Technology | ISO/IEC 27001 is a set of controls that all must be implemented. | ISO/IEC 27001 is the Annex A and ISO/IEC 27002 and especially the technical controls. A gap analysis of the controls is the key activity. | ISO/IEC 27001 Annex A is a control list that should be used as a reference list for what the organization needs. It does not tell how a control is implemented and the actual implementation may vary depending on technology and risk. | Being aware of what is needed in terms of controls and that the risk assessments are the supporting activity for implementation through the risk treatment plan. The use of SoA (Annex A) is to ensure that any controls have not been missed out and additional controls may be added. |
Conclusion
Implementing an ISMS based on ISO/IEC 27001 should focus on the requirements in clause 4-10. This enables a systematic approach ensuring that:
- Compliance issues can be handled by the risk management process requirement in clause 6 and 8 where the compliance risks and controls are identified and evaluated by the business. Risk treatment decisions are made by the risk owners which very often represent the business. The Management Review activity enables risk status reporting and decisions on Top Management level. The ISMS will support this.
- The ISMS does not over-document things for the sake of documentation. That something is documented is less valid for an ISMS than that the controls in the SoA are actually implemented.
- Annex A is not used as a check list, and the organization uses it as a support that must be considered. An organization has and will have different controls in place over time and the ability to adapt to changes and need of controls are important aspects of an ISMS being implemented.
If the implementation case of an ISMS can focus on the roles and needs of interested parties and the business context in clause 4, a sound platform for success is created. Then, by applying the risk management process in clause 6 throughout the scope of the ISMS and its boundaries, the organizational involvement and business alignment can be achieved for long-term success.