Aligning information security with the strategic direction of a company according to ISO 27001
There is one requirement of ISO 27001 that is very rarely mentioned, and yet it is probably crucial for the long-term “survival” of an Information Security Management System (ISMS) in a company: this is the requirement from clause 5.1 that says that top management needs to ensure that the information security policy and information security objectives are “compatible with the strategic direction of the organization.”
First of all, what does strategic direction mean?
Company strategy and strategic direction
There are many definitions of business strategy, and it seems that Michael Porter’s definition is one of the most popular – he defined strategy as a “broad formula for how a business is going to compete, what its goals should be, and what policies will be needed to carry out those goals.”
For the term strategic direction, there are no gurus who have defined what this would mean, but most of the sources say that strategic direction means specifying objectives, developing policies and plans to achieve these objectives, and providing resources for achieving this. Some sources simply say that strategic direction is about setting the company vision, strategy, and tactics, meaning that vision sets the overall goal to be achieved, strategy defines how this is done, and tactics are concrete activities that need to be performed.
So, how can information security help the company to compete, support its plans for achieving strategic objectives, and provide resources for achieving its business strategy?
In my view, this can be achieved as initiatives that go in two directions: from the information security professionals towards the top management, and from the top management towards information security professionals.
Defining the business benefits of information security
As I mentioned in my article: Four key benefits of ISO 27001 implementation, information security professionals should find a reason why the top management must care about their ISMS – and to achieve this they have to focus on business benefits, because those benefits are what might become attractive enough to top management so that they can give enough priority to information security activities.
In the mentioned article I listed four potential benefits: compliance with legislation and contractual obligations, marketing advantage, cost reduction, and better internal organization.
After you select the most appropriate business benefits for your company, you have to present those to the top management – here’s an article that will help you do that: 4 crucial techniques for convincing your top management about ISO 27001 implementation.
Making strategic decisions about information security
Once the top management starts realizing the importance of information security for their company, what is it that they have to do?
According to the article Mastering the art of corroboration: A conceptual analysis of information assurance and corporate strategy alignment (published in 2007, but still very relevant), the top management needs to make some crucial decisions on how to fit the information security into a company; i.e., it needs to decide between the following trade-offs:
- Necessity for creativity versus the use of information assurance procedural controls
- Necessity for trust among employees versus top-down control
- Ease of doing business for stakeholders versus an increased exposure to threats
- Insourcing versus outsourcing
- Reputation of the company versus bottom-line profits
Further, according to the research conducted in 2013 by McKinsey and World Economic Forum on cybersecurity (the results are published in this article: Why senior leaders are the front line against cyberattacks), in companies that are the most successful in information security, the senior managers are doing the following:
- Actively engaging in strategic decision making
- Driving consideration of cybersecurity implications across business functions
- Pushing changes in user behavior
- Ensuring effective governance and reporting are in place
ISO 27001 itself requires some activities to be done directly by the top management – you can see them in this article: Roles and responsibilities of top management in ISO 27001 and ISO 22301. Additionally, the top management will need to approve the budget for information security implementation and maintenance, and approve the residual risks (they usually provide this approval on behalf of the risk owners).
The virtuous cycle
Of course, I’m not suggesting that these two initiatives should be done separately – rather, this should be a part of a cycle: information security professionals suggest to the top management some business benefits; when they realize the potential, they take closer interest and start making crucial decisions; this in turn will create new ideas of information security benefits, and the cycle goes on and on.
For example, top management of a retail company decides that it needs to increase the market share on the Internet through their web shop, so the company’s CISO suggests that ISO 27001 certification could help them reduce the risk of potential hacking attacks and also increase trust from potential buyers; as the implementation of the ISMS begins, the top management needs to decide on what risks are acceptable, and how much they have to tighten their existing processes so that they would be secure. During this process, the CISO finds out new ways to improve these processes and decrease the cost of operations.
To document all of this according to ISO 27001, these initiatives need to be reflected in the information security policy and the security objectives – to use the same example, this retail company might define the overall security objectives related to the number of security incidents for their web shop, and also the perception of security from their buyers (they can get this information through surveys). Their information security policy should reflect the fact that the Internet as a channel will become more and more important to their business in general, and that all other processes in the company will have to become more oriented towards Internet sales, but also to becoming more secure.
Therefore, information security becomes an important part of strategic decision making, and consequently, a part of everyday operations of all employees in a company. What do you think – is this too difficult to achieve?
Click here to download this free white paper: Integration of Information Security, IT and Corporate Governance to learn how to integrate cybersecurity with other functions of the company.