Infosec roles & responsibilities
For the next phase of SecAware ISMS, I'm documenting the management process for determining and allocating information risk and security responsibilities.
The procedure itself is straightforward - just one page of written instructions covering a simple four step process - but a raft of examples of the activities various functions perform in relation to information risk and security takes it up to six pages, even though the examples are presented tersely as bullet points.
It turns out there may be several corporate functions, teams and individuals, each performing numerous activities relating to information risk and security.
Admittedly, my knowledge in this area has accumulated in the course of working mostly for large, relatively mature organisations, a couple of which had all of the functions staffed by professionals busily performing virtually all of the activities. Small-to-medium sized organisations don't have the luxury of being able to carve-up the work among dedicated teams of specialists, so they usually get by with multi-tasking and perhaps assistance from third parties. Information risk and security is tougher for micro-organisations, particularly if they don't even have anyone who appreciates the need to manage information risk and security, privacy, compliance, business continuity etc.
The ISO27k framework can help all types and sizes of organization provided it is interpreted and applied sensibly according to the business context and needs. Even though a multinational bank, say, might have specialists within HR and other functions whose job it is to prepare job descriptions, vacancy notices, training plans etc., our generic list of information risk and security activities may be a useful prompt to confirm that they have all the bases covered. A micro-company will not need to perform every listed activity, and will have no choice but to concentrate on the few that matter most. Either way, the process of management deciding what the necessary activities should involve and, where appropriate, assigning responsibilities to the relevant workers, corporate functions or third parties, is much the same and hence worth laying out in a generic procedure.
As I'm drafting the procedure, I'm itching to mention related aspects such as governance, accountability, access control, competence, oversight, monitoring, resilience and more ... but those would be distracting details. Paring away peripheral issues to concentrate on the matter at hand (the essentials for an ISO/IEC 27001-compliant ISMS) is a cathartic experience for me, a big picture thinker by nature. Laser-focusing is hard for me! Meanwhile, this blog is my relief valve: there, I've brought up some other matters and acknowledged their relevance without turning the procedure into War and Peace.
The same point about focus applies to the job descriptions we are providing: our templates outline the role and what is expected of workers in just one side of A4 per job. Again, they are generic, stating typical key requirements for significant roles in general terms with the intention that customers customise them as necessary, probably elaborating on certain aspects that happen to be more important to them.
As the templates fall into place, we'll release the next phase of SecAware ISMS in a week or two. I would like to cover commonplace management controls, drawn from '27001 Annex A, but I need to remind myself that I'm not Tolstoy. We're providing just the bare bones and inspiration to get customers' ISMSs up and running, not The Whole Enchilada. It's quality not quantity that matters most.
UPDATE: SecAware ISMS Take-off is on sale now, including this template.
The ISO27k framework can help all types and sizes of organization provided it is interpreted and applied sensibly according to the business context and needs. Even though a multinational bank, say, might have specialists within HR and other functions whose job it is to prepare job descriptions, vacancy notices, training plans etc., our generic list of information risk and security activities may be a useful prompt to confirm that they have all the bases covered. A micro-company will not need to perform every listed activity, and will have no choice but to concentrate on the few that matter most. Either way, the process of management deciding what the necessary activities should involve and, where appropriate, assigning responsibilities to the relevant workers, corporate functions or third parties, is much the same and hence worth laying out in a generic procedure.
As I'm drafting the procedure, I'm itching to mention related aspects such as governance, accountability, access control, competence, oversight, monitoring, resilience and more ... but those would be distracting details. Paring away peripheral issues to concentrate on the matter at hand (the essentials for an ISO/IEC 27001-compliant ISMS) is a cathartic experience for me, a big picture thinker by nature. Laser-focusing is hard for me! Meanwhile, this blog is my relief valve: there, I've brought up some other matters and acknowledged their relevance without turning the procedure into War and Peace.
The same point about focus applies to the job descriptions we are providing: our templates outline the role and what is expected of workers in just one side of A4 per job. Again, they are generic, stating typical key requirements for significant roles in general terms with the intention that customers customise them as necessary, probably elaborating on certain aspects that happen to be more important to them.
As the templates fall into place, we'll release the next phase of SecAware ISMS in a week or two. I would like to cover commonplace management controls, drawn from '27001 Annex A, but I need to remind myself that I'm not Tolstoy. We're providing just the bare bones and inspiration to get customers' ISMSs up and running, not The Whole Enchilada. It's quality not quantity that matters most.
UPDATE: SecAware ISMS Take-off is on sale now, including this template.