Upper Management Support

My first blog on Information Security is about the importance of having upper management be part of the kick-off meeting on an ISO 27001 security project. This idea comes from what i learnt on the Project+ course together with my experience of dealing Information Security with my clients.

I recently was part of an assignment where we consultants were set with the objective of setting up an ISMS for the organization. The scope of the assignment was the setting up of the ISMS for the entire organization (oh boy!). So we started off meeting the IT Team and their various function heads, the Network Department, the Software Development Team, etc. We soon realized that the ease with which we were getting information, we would soon have covered understanding the entire business process for the entire organization in a week's time. Little did we know that it was not meant to be. Post IT we decided to meet the other departments only to be told that we were not being given confirmed dates for the meeting. This practically went on for quite sometime and even the few people whom we met looked at us with suspicion, they were not open enough to discuss the issues they faced. After much hindsight, we realised that we had missed one crucial element in this entire process and that was an initial upper management meeting.

Information Security is generally sold to the IT Department of any organization. What i mean by sold is that generally consulting companies would approach the IT Department to sell a particular service such as a Vulnerability Assessment or a Technical Audit or for that matter even the ISO 27001 standard implementation.

Although the first two services (and the findings from these activities) mentioned are to a great extent the responsibility of the IT Department with probably no intervention with the other business heads, the last one is not. The ISO 27001 exercise is not an IT project in all respects. It demands strong management support and direction even before the start of the project besides the understanding of how the business functions to get a realistic picture of the business risks.

I believe this issue can be overcome by adopting the steps mentioned below.
a)At the time of the tendering process, the IT department should attempt to buy in support from the upper management for the ISO 27001 exercise. ISO 27001 exercises for the entire organization or for that matter even for certain departments are possible only if the upper management (which should also include the CEO or Directors of the company)provides whole hearted support to the process. What I mean by whole hearted is that, they should not just give lip service on their support but by being part of and implementing the ISMS itself.
b)During the kick off meeting, the CEO or an equally high level management member should be requested to be present to give a brief talk about how the management sees information security and how important the project is to them. (This is obviously possible if step one is done right.

I believe if the CEO of a company is able to convey the message to his people "that security is important to us and our business", there shall be a more whole hearted support from the various business leaders in the organization. The ISMS in implemented in the right spirit (and we consultants can breathe easy:)