Super management systems

ISO 22301, already an excellent standard on business continuity, has just been revised and republished. Advisera has a useful page of info about ISO 22301 here.

There’s quite a bit of common ground between business continuity and information risk and security, especially as most organizations are highly dependent on their information, IT systems and processes. The most significant risks are often the same, hence it makes sense to manage both aspects competently and consistently. The ISO ‘management system’ structured approach is effective from the governance and management perspective. 

Aligning/coordinating the infosec and business continuity management systems has several valuable benefits since they are complementary. 

Extending that thought, it occurs to me that most if not all other areas of management also have information risk and security implications:

• Physical site security and facilities management (e.g. reliable power and cooling for the servers);
• IT and information management (dataflows, information architecture, information systems and networks and processes, intellectual property, innovation, creativity);
• Change management (ranging from version control through projects and initiatives up to strategic changes);
• Incident management (see below);
• Risk management (as a whole, not just information risks);
• Privacy management;
• Relationship management (relationships with suppliers of goods and services, business partners, customers and prospects, owners/investors, authorities and other stakeholders, communities);
• Compliance management (laws and regs, contracts and agreements, corporate policies, ethics);
• Health-and-safety plus HR management (people are invaluable information assets!  Corporate culture, change/initiatives, motivation and compliance);
• Product and operations management (core business!);
• Quality management (especially quality assurance);
• Assurance (reviews, audits, testing and checking functions, both internal and external);
• Financial and general commercial management. 

Your management might even consider developing a corporate strategy or policy to adopt ISO Management Systems where available, perhaps with an overarching ‘governance committee’, 'executive team', 'board' or similar to drive the alignment, exploit the common ground between them, and address any gaps, conflicts or other issues arising. You probably already have such a beast (commonly but ambiguously known as "senior management", the "C-suite" or "mahogany row"), although it may not consider itself to be operating a super-management-system.

You might even take this a step further, aiming to integrate rather than simply coordinate and align those management systems. An obvious example concerns incident management - even something as basic as having a single multi-function contact point (Help Line, Service Desk or whatever) to receive and assess incident reports, initiate the relevant activities and coordinate communications among those involved.

Or not. The ISO MS approach is not the only option, and there may well be something even better for your organization – other standard methods, ‘best of breed’ solutions, something home-grown or a patchwork. There may be sound business reasons for keeping various areas separate (e.g. if they are, or might be, contracted out). I’m simply suggesting that coordination, alignment and integration between management systems might be worth considering, if and when you and your management are in a position to do so (not necessarily right now … although this is peak season for strategising and planning!).

I'll end today's sermon with a pertinent quote from an interview with Marc Goodman:

"CIOs and CISOs will also have to work much more closely with the executives in charge of functions like HR, facilities, physical security, and loss prevention to close security gaps. The bad guys have repeatedly demonstrated their ability to slip through the gaps created when enterprises segment security across various functions within their organizations."

Marc describes himself as “a global strategist, author and consultant focused on the disruptive impact of advancing technologies on security, business and international affairs”. He holds the Chair for Policy and Law at Singularity University in silicon valley. So no slouch then.