Innovative approaches to ISO/IEC 27001 implementation
This week I've read an interesting, inspiring piece by Robin Long exploring the costs, benefits, approaches and strategic options for implementing ISO27k.
I like Robin's idea of trying things out and banking some 'security wins' before committing to a full implementation. A full-scope ISMS is a major commitment requiring strong understanding and support from management, requiring a high degree of trust in the team and CISO/ISM/project leader as well as the [planned] ISMS. Demonstrating and celebrating security wins is a good way to build trust and sustain it, once the ISMS is running.
I'm also intrigued by the possibilities of unconventional, creative, less boring approaches to implementation project planning - for example, instead of plodding sequentially through ISO/IEC 27001, clause-by-clause, think about:
- Parallelling-up activities where it makes sense and saves elapsed time;
- Consciously delaying difficult/troublesome activities (whatever they might be) until other stuff is well under way, and management is more comfortable with the entire approach;
- Farming-out chunks of work to other departments such as Risk Management or Business Continuity or Legal or Procurement or Audit - in a big organization anyway - and of course IT in most;
- Contracting-in specialist expertise for particular activities - not just getting the work done but learning how to do it yourself next time*;
- Working 'backwards' from conformity, in other words start by planning to do the least amount possible to achieve certification, secure management support to implement a minimalist ISMS, do it ... and then see where it leads from there;
- Opportunistic approaches, piggybacking off planned and approved investments in other areas (e.g. various IT, security control, risk management improvements or governance changes or other strategic initiatives) to reduce the incremental cost of completing a full ISMS implementation;
- Similarly, quietly assembling and putting in place the support framework, resources and understanding necessary for a future ISMS implementation, when the time is ripe;
- Other ideas? I'd love to hear your thoughts here. Comments are open.
* Perversely, as a consultant, I like doing myself out of a job! It is immensely gratifying to help clients learn, develop and discover that they can cope perfectly well without me - a bit like a parent seeing their progeny growing up, leaving the nest and thriving. I've never worked for the Big-N consulting companies. Does it show?