When implementing ISO27001, we see a number of organisations making the same mistakes, time and time again.  From over complicating their Information Security Management System (ISMS), to writing policies which are difficult to read or understand.

But there is one mistake which not only the end users, the implementor of the ISO27001 standard make, but the vast majority of consultants and professionals who are doing it to.  What is this mistake? They make information security hard work and BORING!

You cannot expect to implement ISO27001 within an organisation if you make this topic boring, and make it hard work.  Yes, we know it’s important, but that’s not what everyone thinks.  If your ISO27001 programme is stalling, then you need think about engaging differently with the business. 

Here’s just some ideas that hopefully will kick your ISO27001 and information security programme into life!

Strategies for Success: The Board

If you’re implementing ISO27001, you know that one of the first steps you need to take is to gain senior leadership buy-in to the process. You need to persuade them that ISO27001 is the right thing to do. In truth, they may be partially engaged because they’ve heard it will help them win business and retain clients.  We wrote about this in a previous blog post, where we talked about the reasons organisations should implement ISO27001.

But even the most engaged board members will quickly lose interest if you don’t approach the topic with them in mind. What do we mean by this? You need to ask how ISO27001 will make their lives better.  It will be different for the CTO, compared to the COO.  The Head of HR will have different objectives and goals compared to the CEO. So what are the ‘hot spots’ for each person sat around the Board room table? Consider it from their perspective and get them excited to be involved. 

Strategies for Success: Employee Training

This is similar in many ways to the Board. You need to communicate the importance of information security and ISO27001 in terms that makes sense to THEM. Don’t just think about your company. Appeal to them personally, and explain how they can secure their home WiFi, and why this is important to protect their children. Explain to them about scammers and phishing, in terms of online dating scams and dating apps.  Explain to them how ransomware works, but talk about the risk to their home videos and family photos, which most people store digitally.

By talking to them, and educating them personally you don’t have a big jump to make, when explaining why malware protection is important and why having 2FA enabled on accounts is a necessary control. 

Talk in terms they understand

Similarly, don’t use complex language and confusing policies that go on, and on and on!  Policies should be to the point. They should be easy to follow and implement. And yes, they should even be fun to read! It really is possible to do this. We know, because we do it! If you want someone to watch a film to the end, you don’t make it 4hrs long, with no real sense of excitement or interest! But that’s how many security professionals seem to approach the development of policies.

Keep them short. Think about the end user and what you want them to do, or feel, or how you want them to act based on the policy.

Strategies for Success: Employee Awareness

ISO27001 has its own control related to Training and Awareness (A6.3 Information security awareness, education and training), and makes the point that there are three aspects to this control;

·        Awareness

·        Education

·        Training

This means they should be seen as different levels. Awareness is important, but possibly the easiest of all because it’s about making people ‘aware’ of a specific topic, risk or issue. For example, I can make you ‘aware’ that we have a set of security policies.  I can then make you ‘aware’ that one of these policies relates to keeping your desk clean. 

Following this, I might educate you on the reasons why we have a set of policies, and what we expect you to do with these policies. Education could also include having your developers attend a session aimed at helping them understand technical aspects of the principle, Secure by design.

Finally, I might train you on how to follow our policies, or procedures. This requires more time and perhaps further documentation. This would be a repeating event (think “training” in the gym – you don’t just go once!) . Training might include regular sessions on key principles around the General Data Protection Regulation (GDPR), and how it relates to their role. 

The point is, remember to think about these topics separately, but start with awareness.

Strategies for Success: Make it fun!

One final point I will make here is that you need to have fun with this topic. It’s possibly the most important aspect of information security; Gaining buy-in from every level.  But if you don’t make it fun (and by fun, we mean entertaining, educational and/or inspirational), then your programme will ultimately fail.

This is the time to unleash your creative side. Run some competitions. Create some posters. Record some interviews and videos.

Don’t let your programme fail, because you feel this topic is ‘too serious’! Yes, it’s a serious topic, but that doesn’t mean you can’t educate, entertain and inspire people in a creative way. 

If you find yourself confused by any of the above or you need more inspiration, or ISO27001 consulting, you can get in touch with us to discuss how we can help. There are some topics that we cover on our FAQ page, so check that out too.