What is the ISMS for?


Another interesting morning on the ISO27k Forum when a new member asked for help to address an ISMS internal audit finding relating to ISO/IEC 27001:2013 section 4.1: 

“The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.”

To my beady eye, that succinct sentence (plus the rest of clause 4 and more besides) leads-in to a fairly diverse and creative set of activities relating to ‘establishing the context for the Information Security Management System’:
  1. Who are the stakeholders with an interest in the organization’s information and hence the associated risks and opportunities? What are their 'issues' - their interests, in fact? What matters to them? What are their priorities and concerns? What business is it of theirs? [Clause 4.2]
  2. Consider the organization’s purposes (business objectives/goals, strategies and other drivers and constraints) that in some way involve or drive information risk and security e.g. if “Being a trusted partner” is one of the corporate aims stated in the CEO and Board’s mission statement, that indicates a need to be a trustworthy organization, and hints at a desire to be recognized and appreciated and valued as such by business partners/outsiders. So what are the implications on how we do business, in particular how we handle information?  What should the ISMS be doing (or indeed avoiding) in support of "being a trusted partner"?
  3. Consider also how information risk and security concepts can/should support and enable the business. For instance, what is management’s position on privacy – not just the obvious legal and regulatory compliance aspects but privacy, personal space, personal choice and freedoms etc. as a more general concept? What about, say, the ‘integrity’ part of the CIA triad: in what ways is integrity relevant and potentially necessary or valuable to the business? And what about information risks: how will the ISMS help manage those? What will the ISMS bring to the game that couldn't be done as well without it?
  4. Elaborating on that concerning the ISMS itself, what is it expected to achieve for the organization? How will a [certified] ISMS earn its keep across all of those areas – how will it make that easier, better, cheaper etc., more than offsetting the costs involved in establishing, operating and maintaining the ISMS? What are the priorities? In hard-nosed business terms, where’s the financial value in going down the [certified] ISO27k ISMS route when there are many alternatives, some of which might not be possible or might be delayed if finite resources are allocated to the ISMS implementation? And what are the risks associated with the ISMS itself, plus the implementation project? What might derail this train?
  5. With all that in mind, then, what are the key elements and factors relating to the ISMS – including things such as: its main purposes or objectives, expectations etc.; its scope [clause 4.3]; the anticipated net value (ideally with enough details behind that to measure and demonstrate the value achieved); its integration with the rest of the organization including other management systems, functions, departments, initiatives etc.; its risks; and how will all that be governed, managed, directed and controlled?
That’s how I personally would read and interpret clause 4. My interpretation goes way beyond what the standard literally says and formally requires, and there are some on the ISO27k Forum who would argue (with good cause) that – as usual - I’m blabbering on, making a mountain out of a molehill and over-complicating matters (yup, guilty as charged!). The KISS approach would involve doing the least amount possible in order to convince the certification auditors that we have done what is required in the standard: I understand that perspective, and appreciate that certification and simplicity are legitimate and valuable objectives in their own right … and yet I believe we can achieve even more value from ISO27k by going beyond the minimalist formalities, designing and building an ISMS that adds even more value to the business, which in turn will help ensure its longevity and deeper integration into the organization. There's reason to my madness.

Further reinforcing the broader perspective, ISO/IEC 27003:2017 (the very useful ISMS implementation guide) has a full two pages of explanation and guidance just on section 4.1. I'm not going to lay it out here though. Go read the standard!

In practice, the outcome of those competing pressures is generally something in the middle. At the time of certification, the ISMS has to be at or above the minimum formally required in ‘27001. The question is how far above should it be? In which respects is it worth going above and beyond?

Personally, I’m keen to explore the wider business objectives and possibilities (the business risks and opportunities associated with the ISMS - the stuff that clause 6.1 should have addressed if it hadn't fallen down the information risk rabbit hole) at the outset, in order to ensure that the ISMS is designed with those longer-term goals in mind, even if in the short-term it barely does what it has to do. It's about persuading management to invest in information risk and security management because that's the route to prosperity for the organization. Scoping, directing and launching the ISMS are the critical first steps on a long journey. So let's set off on the right foot, eh? Let's at least assemble the A-team to design the edifice and construct sound foundations using building materials that won't crumble if/when we decide to add a second storey. The ISMS needs integrity too.