Management Buy In Security

Does your top management buy into the whole ethos of it?

So, how does your company address information security as a whole?  Does your top management buy into the whole ethos of it? Or do they see it as a pain and do the bare minimum to show willing?

• Does your top management hold periodic meetings to address their information security management system (ISMS)?
• Do they keep you in the loop and communicate appropriately?
• Do any of you get to join in these meetings, if held? Do these meetings have an agenda? Are minutes taken? Are the topics on point in relation to information security

Why not ask your top management these questions, and at the same time see if they are familiar with Control 9.3 – Management Review of the ISO 27001 Standard. Ok, I admit there are a lot of controls in the Standard – 114 to be precise. However, I thought I would highlight this one to see if your top management is having review meetings around Information Security on a regular basis.

‘Top Management shall review the organisation’s ISMS management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.’

Control 9.3 goes on to detail the topics that need to be discussed at these meetings. Do you cover any of the following topics in your meeting? If not, why not raise these points at your next meeting and include them going forward.

• Status of any actions from the previous meeting – to ensure progress is being made.
• Have there been any internal/external information security-type issues that could impact your security management? Examples could be a broken fence to the perimeter or a supplier not happy with how you are managing your security.
• Have there been any audits (internal or regulatory) since the last meeting? What was the outcome? Were there any security-related findings that need to be addressed? Who is fixing them and when?
• Is there a monitoring/measurement system in place that records security breaches? Do any of these need to be discussed in more detail and addressed? Examples could be human error or someone opening an email that they shouldn’t have.
• Your company will no doubt have business objectives. However, does it have information security objectives, and are these fully communicated throughout? Does your top management discuss security objectives at the meetings and how do they know that these are being met?  Are existing security objectives still fit for purpose or do they need to be reviewed?
• Does your top management get feedback from interested parties – ie. your neighbours, suppliers, customers, employees? Regardless of whether this feedback is positive or not so positive, do you act upon it?
• Now I assume there will be a risk register of sorts within the company. Does it include information security and are these issues talked about in the meeting? Do you look at any deemed high risk to see how to address them? Are any not moving? Are there anywhere simply ‘accepting the risk’ is this the right output?
• An important topic is a continual improvement in relation to information security. Is this mentioned at all? It may be something as straightforward as generating an awareness campaign promoting a particular security topic – phishing for example.

Discussing all of the above in your meetings will go a long way in satisfying control 9.3 if you were to aim for the ISO 27001 certification. Remember to ensure there is an agenda and there are notes typed/recorded so there is evidence of it happening. Evidence is super important too!Please contact us here to speak to a member of our team.