ISO 27001 has at its heart the continual improvement of the system. However I wonder how many people regularly improve the way they actually manage and control the ISMS itself? It’s easy to get into habits, or create systems that work for one or a few people but find they don’t scale or can’t easily be changed, and become a millstone as the business changes and evolves.
And of course business is evolving at the moment, large or small, public or private, there are threats and opportunities all over the place. Information security management is affected by almost everything. It might be about beefing up the system to deal with heightened risk of data loss through staff or suppliers as a business grows. Or it could be about driving down the total cost of managing the system because resources are more scarce. Is the way you manage your ISMS still fit for purpose?
Standards have been changing too. One of the goals for the ISO standards body in making the change from ISO 27001: 2005 to 2013 has been about improving the standard itself (which I’ll discuss another day). And most accredited organisations (like us) will have completed their migration by now.
It would be interesting to know how much there has been a ‘lift and shift’ of the way the system is managed, versus using that migration trigger as an opportunity to improve the way the system itself is managed. My guess is that the migration would have been the focus, developing then implementing the relevant new policies and controls. I suspect for most, the change will have been done by retaining the current way of managing the system. We did that, although were lucky to be using pam anyway. We also took the opportunity to review our approach to risk for the 2013 standard (it’s less about assets in 2013 and more about the information as you know), including enhancing supplier assurance with our relationship management and contract areas of the platform.
For those organisations that have subsequently identified an improvement and set a goal for transitioning to a new way of managing their ISMS too, take a look at what we have done with pam for our own accreditation to ISO 27001: 2013. Organisations primarily interested in ISO 27001 should watch the 2 min video here and perhaps public service providers watch a similar but slightly different video here (it includes integrating other compliance aspects like PSN CoCo and PCI DSS).
Our customers liked our approach so much that some have gone on to adopt pam for implementing or managing the ISMS themselves. As such we are now making our digitised cloud service for ISO 27001: 2013 available as a new pam solution.
Get in touch to see how we can help you improve the way you manage the ISMS and assist your organisation to achieve its wider business objectives.