Benefits of ISO 27001
The other day I was talking about my plans to give the ISO 27001 Lead Auditor training and someone asked me about the benefits of ISO 27001.
I did give her an overview on my opinion but while browsing on LinkedIn in one of the groups I have joined (CGEIT Network (Certified in the Governance of Enterprise IT) I found the following question regarding ISO 27001 by Mark.E.S.Bernard (who I have to Thank for allowing me to use his opinion on ISO 27001).
How can ISO/IEC 27001 help solve IT Governance issues?
Has anyone utilized ISO/IEC 27001 to help solve IT Governance issues like Data Governance etc…?
He answered with the following points:
- Managements commitment to a management system providing governance over information company wide, data governance
- Clarification of accountability for controls over assets leading to formalization of roles and responsibilities, who needs to be consulted during decisions and actions, who needs to be informed of the results, who needs to conduct the actions
- Asset inventory allowing the formal identification of information repositories in addition to software, hardware, people, telecommunications and physical property
- Information classification identifying the categories of information and what controls need to be applied during the course of regular business activities
- Risk management allowing management to make decisions based on risk to the business and make changes to align risk to business information with that of the Enterprise risk appetite. This includes reporting through the risk treatment plan which feeds directly into the Enterprise Risk Management process
- Monitoring through regular management meetings and audits staying on top of action plans and addressing any issues for resourcing or capital. This also includes addressing any issues that block progress
- Continuous improvement allowing management to address quality, which translates into cost savings by supporting and following up on defects in service delivery impacting availability, software, information repositories impacting data integrity and confidentiality enforcing security standards and processes, etc.
On my part agreeing with Mark I have been able to use ISO 27001 to get Management’s commitment. Once you align Governances efforts on internationally accepted standards, frameworks, or guidelines it helps with management’s buy in. Most auditors also feel more comfortable once they see your controls aligned to a Standard like ISO 27001. On the other side it can also create great Road Maps towards improvement. I have been involved in various assessments where a Gap Analysis is made of how an organization aligns to ISO 27001.
Once we get the current statement and understand the process we move into mapping what would be the ideal Future State. Then the key part is establishing goals and milestones in an organized Road Map to get from Current State to Future State.
ISO 27001 works ideally for this kind of situation.
Do you have other ways where you have utilized ISO 27001 in an effective way to start, improve or simply execute on an IT Governance related project?