It’s not that we haven’t been trying to get ISO 27001 sooner and it’s not like we don’t know what we should be doing. We help customers obtain the standard all the time. It was only when the key players in our company got together and said “OK, we are going to do this” We took a page out of Oracle’s playbook and decided to “eat our own dog food”. This involved utilising our policy management software that helped to get everyone to sign up to our policies and our eLearning. We also adopted our employee awareness methodology called Generating Change Through People to ensure the proper buy-in from staff. We believe we are setting off on a multi-year journey. We just did not want our information security management system to be a folder gathering dust in a filing cabinet.
Interestingly we found that the concept of confidentiality, integrity and availability was one that required a lot of effort to communicate. It appears that most people assume that lack of availability or access to data is the only information risk that effects them. We had to utilise a number of eLearning approaches with different audiences in order to deliver the learning. One of the learning titles is cartoon-based and the other is more corporate. It was interesting to see which staff members reacted best to the alternative content.
It's hard to believe that ISO 27001 is a minimum standard. We are glad we have reached a key milestone in our journey to protect our information assets. It is just a milestone and it will encourage us to become even more serious about cyber security and ensure we remain thought leaders in this critical business market.
ISO 27001 is the international standard of information security management published by the International Standardization Organization (ISO). ISO 27001 sets out the specification for a company’s information security management system (ISMS). A ISMS is a framework of policies and procedures that include all legal, physical and technical controls involved in information risk management processes.