In my previous two articles (please see links to those article at the end of this article), we understood about, deployment of initial security resource, understanding the standard and its mandatory controls, defining scope/ out of scope items and security ownerships. Now when the stage has been set, let us go ahead with some practical implementation steps. We should remember that our goal should be to make security as an enabler to the business and not a hurdle by imposing checks and balances, thus we need to align security to the business. Isn’t it a good idea to start with defining vision for your security program? Let us do it…
Define Security Vision
Though defining it is nowhere mandated in ISO27001, but still to set overall direction of security program, it is recommended to have one. Here we have to keep two things in mind:
- Customer business and if any vision defined by customer for its business, and also
- Security vision of your parent organization.
While the security vision for customer has to be aligned with its business vision, we need to understand that we are still part of our parent organization while executing project for its customers and our work in security domain shall also be aligned to our security vision as well, if any. Considering parent organization’s vision becomes even more important, especially when we deliver services to customer while being in our organization premises, where most of our security policy shall apply.
Defining Security Objectives
These are the high level parameters which needs to be defined to check security health of customer’s organization and have to be aligned to its security vision. I would recommended here to not getting too excited and define lot many of them, but define them as crisp, clear and most importantly measureable. It is advisable to keep the count not more than 2-4 and for each parameter define its measurable value, frequency, supporting facts and the personnel responsible for tracking them. An excel sheet, may be maintained for same as an audit artefact to support the case that we have defined security objectives and we are monitoring them on regular basis. Ideally they should be monitored on year to year basis or may be earlier, if environment is too dynamic. Couple of examples of security objectives could be, “Continual reduction in information security risks to the organization”, “Ensuring that reporting of incidents and audit non compliances which are similar in nature, to be continually reduced over the time”.
But someone is asking, “Hey, all this is good enough, but customer is pushing our security specialist to come up with a security policy document immediately, how to go about it?” Well, there are multiple perceptions about security policy document and mind it, it’s certainly not the copy past affair…we will try to understand this in short in my next post. Keep following…
Will try to continue this series to give an insight of how one should go about certifying n organization for ISO27001.