A question on the ISO27k Forum today from someone convinced that a network diagram is what he needs to scope his Information Security Management System, coincided with some strategy and metrics work I'm doing for a client. In both cases, it helps to elaborate on and clarify the business reasons why it’s important for the organization to both protect and exploit information. What is it that makes information so valuable that it is worth protecting?
In short, what's the point?
Understanding and elaborating on those business objectives is very useful for several reasons:
- They form a direct link between ‘the business’ through ‘valuable information’ to ‘information risk’ to ‘information security’ (and other risk treatments since information security controls are not the whole deal). Hence we information security pros are not just promoting what we claim to be good security practices for the sake of it, but pushing certain things because we care about helping the organization achieve its goals, and believe those things are worthwhile for the business. In my experience, the business-first approach makes it harder for anyone to push back. It knocks the wind out of their sails if the ISMS is clearly aligned with corporate strategies. Resistance is futile.
- Details such as what kinds of information are essential/most valuable, and why, are useful when it comes to identifying and evaluating the associated information risks. It’s good to know what kinds of business impact are of most concern, what information assets are therefore most in need of protection … and also, implicitly at least, what information can safely remain at risk. This helps prioritize the risk management and focus on the Stuff That Really Matters (to the business, not just to us in). It’s also handy to know what degree of confidentiality, integrity and availability are needed, and which of those aspects are the most important. This all supports maintaining a sense of perspective.
- The business objectives and priorities are needed to identify meaningful security metrics. Rather than attempt to measure everything/anything and obsess about random trivia, focus on measuring the Stuff That Really Matters and make sure that (at least) is on track and under control. Assurance – being able to demonstrate, convincingly, that we’re on top of things - is one of the least obvious and yet most important benefits of an effective ISO27k ISMS. I’m not just talking about the certificate of compliance to ISO/IEC 27001 from an accredited certification body, but the confidence that assurance gives management, allowing the business to do what it needs to do (including exploiting its own information) safe in the knowledge that its valuable yet vulnerable information is sufficiently protected. [This is the old saw that racing cars need bloody good brakes: without strong, reliable, proven brakes, drivers would be far less confident and able to press hard into the corners. Good brakes let cars go faster!]
- The objectives probably include compliance with various externally-imposed obligations, particularly … but is the intention to ‘do the least amount we can reasonably get away with in this area’ or ‘satisfy and go beyond the compliance obligations because there is business advantage in doing so’? Are imposed compliance obligations simply constraints, or are there opportunities as well as risks in this area? I’m hinting here at aspects such as the organization’s branding and image, plus corporate social responsibility, plus grand strategic aims with long-term consequences. For example, compare a healthcare company that struggles to fulfill its legal obligations on privacy against one that easily surpasses those requirements and is able to reassure customers/patients as well as other stakeholders that it takes privacy seriously.
- “Key” objectives are like milestones. They are aiming points, opportunities to make demonstrable progress by pushing in a certain direction, avoiding diversions and swamps by plotting a sensible route. Achieving an objective can be a major cause for celebration providing positive feedback that makes it a little easier to press on to the next one. So, if lower level objectives for business units, departments, teams etc., or for the ISMS, are linked to the organization's grand strategic objectives, it gives purpose and meaning to what we’re doing … and achieving objectives is a good excuse for a party!