To quote Joey “the Lips” Fagan of The Commitments fame – “I believe in beginnings”. This is very true in the area of IT Governance and for organisations setting out to obtain ISO27001. The beginning of the project determines whether or not the organisation has the executive buy-in and the determination to see out the challenges that naturally appear in initiatives that involve the entire organisation.
Often, ISO 27001 projects are seen as technology projects. Whilst, automation has a key role to play, an IT Governance project is essentially about change management. The organisation must change the way its staff approach data protection. ISO 27001 projects are about the culture change that is required to improve the compliance maturity of staff and partners.
There are no easy ways to change people’s attitudes on how they interface with the organisation’s computer systems and data. Often the high risk issues are based on expedient approaches that facilitate the way people currently do their job. Therefore an education program is required to ensure people understand why they cannot continue in ways that put the organisation in a position of risk.
The problem with many IT Governance education programs are that they do not take a minimum of a 12 month view and that participation levels among staff are very low. By not looking a year down the line and planning multiple activities around the IT Governance Awareness Program (IGAP), many organisations run the risk of the initiative running out of steam due the difficulty of battling organisational inertia.
By far the biggest threat to an ISO 27001 project is that it becomes a minority sport. Without the participation of all staff and contractors, the value of the investment is significantly undermined. Getting the mind share of the audience requires tailored messaging, particularly to high risk job profiles. The participation of staff must be encouraged and enforced if necessary.
Having a good beginning with a project charter that sets out a 12 month scope of work and which has the right level of executive buy in, is a great way to mitigate the risk of your ISO 27001 project grinding to a halt.
Robert O’Brien | CEO MetaCompliance | @MetaCompliance
Bio: This article was written by Robert O’Brien, the CEO of Metacompliance, leading information security and compliance software specialists. Robert has a keen interest in Cyber Security and is passionate about the need for a UK based software sector, particularly in the area of IT Security and Cloud.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.