{"id":10868,"date":"2017-02-20T18:37:39","date_gmt":"2017-02-20T18:37:39","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=10868"},"modified":"2024-12-21T13:37:44","modified_gmt":"2024-12-21T13:37:44","slug":"strategic-direction-of-a-company-according-to-iso-27001","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2017\/02\/20\/strategic-direction-of-a-company-according-to-iso-27001\/","title":{"rendered":"Aligning information security with the strategic direction of a company according to ISO 27001"},"content":{"rendered":"<p>There is one requirement of <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>\u00a0that is very rarely mentioned, and yet it is probably crucial for the long-term \u201csurvival\u201d of an Information Security Management System (ISMS) in a company: this is the requirement from clause 5.1 that says that top management needs to ensure that the <a href=\"\/27001academy\/documentation\/information-security-policy\/\" target=\"_blank\" rel=\"noopener noreferrer\">information security policy<\/a>\u00a0and information security objectives are <em>\u201ccompatible with the strategic direction of the organization.\u201d\u00a0<\/em><\/p>\n<p>First of all, what does <em>strategic direction<\/em> mean?<\/p>\n<h2>Company strategy and strategic direction<\/h2>\n<p>There are many definitions of business strategy, and it seems that Michael Porter\u2019s definition is one of the most popular \u2013 he defined strategy as a \u201c<em>broad formula for how a business is going to compete, what its goals should be, and what policies will be needed to carry out those goals<\/em>.\u201d<\/p>\n<p>For the term strategic direction, there are no gurus who have defined what this would mean, but most of the sources say that strategic direction means specifying objectives, developing policies and plans to achieve these objectives, and providing resources for achieving this. Some sources simply say that strategic direction is about setting the company vision, strategy, and tactics, meaning that vision sets the overall goal to be achieved, strategy defines how this is done, and tactics are concrete activities that need to be performed.<\/p>\n<p>So, how can information security help the company to compete, support its plans for achieving strategic objectives, and provide resources for achieving its business strategy?<\/p>\n<p>In my view, this can be achieved as initiatives that go in two directions: from the information security professionals towards the top management, and from the top management towards information security professionals.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>Defining the business benefits of information security<\/h2>\n<p>As I mentioned in my article: <a href=\"\/27001academy\/knowledgebase\/iso-27001-implementation-checklist\/#benefits\" target=\"_blank\" rel=\"noopener noreferrer\">Four key benefits of ISO 27001 implementation<\/a>, information security professionals should find a reason why the top management must care about their ISMS \u2013 and to achieve this they have to focus on business benefits, because those benefits are what might become attractive enough to top management so that they can give enough priority to information security activities.<\/p>\n<p>In the mentioned article I listed four potential benefits: compliance with legislation and contractual obligations, marketing advantage, cost reduction, and better internal organization.<\/p>\n<p>After you select the most appropriate business benefits for your company, you have to present those to the top management \u2013 here\u2019s an article that will help you do that: <a href=\"\/27001academy\/blog\/2016\/09\/12\/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation\/\">4 crucial techniques for convincing your top management about ISO 27001 implementation<\/a>.<\/p>\n<h2>Making strategic decisions about information security<\/h2>\n<p>Once the top management starts realizing the importance of information security for their company, what is it that they have to do?<\/p>\n<p>According to the article <a href=\"https:\/\/www.researchgate.net\/publication\/220306226_Mastering_the_art_of_corroboration_A_conceptual_analysis_of_information_assurance_and_corporate_strategy_alignment\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Mastering the art of corroboration: A conceptual analysis of information assurance and corporate strategy alignment<\/em><\/a>\u00a0(published in 2007, but still very relevant), the top management needs to make some crucial decisions on how to fit the information security into a company; i.e., it needs to decide between the following trade-offs:<\/p>\n<ul>\n<li>Necessity for creativity versus the use of information assurance procedural controls<\/li>\n<li>Necessity for trust among employees versus top-down control<\/li>\n<li>Ease of doing business for stakeholders versus an increased exposure to threats<\/li>\n<li>Insourcing versus outsourcing<\/li>\n<li>Reputation of the company versus bottom-line profits<\/li>\n<\/ul>\n<p>Further, according to the research conducted in 2013 by McKinsey and World Economic Forum on cybersecurity (the results are published in this article: <em><a href=\"https:\/\/www.mckinsey.com\/business-functions\/digital-mckinsey\/our-insights\/why-senior-leaders-are-the-front-line-against-cyberattacks\" target=\"_blank\" rel=\"noopener noreferrer\">Why senior leaders are the front line against cyberattacks<\/a><\/em>), in companies that are the most successful in information security, the senior managers are doing the following:<\/p>\n<ul>\n<li>Actively engaging in strategic decision making<\/li>\n<li>Driving consideration of cybersecurity implications across business functions<\/li>\n<li>Pushing changes in user behavior<\/li>\n<li>Ensuring effective governance and reporting are in place<\/li>\n<\/ul>\n<p>ISO 27001 itself requires some activities to be done directly by the top management \u2013 you can see them in this article: <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2014\/06\/09\/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301\/\">Roles and responsibilities of top management in ISO 27001 and ISO 22301<\/a>. Additionally, the top management will need to approve the budget for information security implementation and maintenance, and approve the residual risks (they usually provide this approval on behalf of the risk owners).<\/p>\n<h2>The virtuous cycle<\/h2>\n<p>Of course, I\u2019m not suggesting that these two initiatives should be done separately \u2013 rather, this should be a part of a cycle: information security professionals suggest to the top management some business benefits; when they realize the potential, they take closer interest and start making crucial decisions; this in turn will create new ideas of information security benefits, and the cycle goes on and on.<\/p>\n<p>For example, top management of a retail company decides that it needs to increase the market share on the Internet through their web shop, so the company\u2019s CISO suggests that ISO 27001 certification could help them reduce the risk of potential hacking attacks and also increase trust from potential buyers; as the implementation of the ISMS begins, the top management needs to decide on what risks are acceptable, and how much they have to tighten their existing processes so that they would be secure. During this process, the CISO finds out new ways to improve these processes and decrease the cost of operations.<\/p>\n<p>To document all of this according to ISO 27001, these initiatives need to be reflected in the information security policy and the security objectives \u2013 to use the same example, this retail company might define the overall <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&#038;doc=measurement-report\" target=\"_blank\" rel=\"noopener\">security objectives<\/a> related to the number of security incidents for their web shop, and also the perception of security from their buyers (they can get this information through surveys). Their information security policy should reflect the fact that the Internet as a channel will become more and more important to their business in general, and that all other processes in the company will have to become more oriented towards Internet sales, but also to becoming more secure.<\/p>\n<p>Therefore, information security becomes an important part of strategic decision making, and consequently, a part of everyday operations of all employees in a company. What do you think \u2013 is this too difficult to achieve?<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To get the templates for all mandatory documents and the most common non-mandatory documents, along with a wizard that helps you fill out those templates,<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a free trial<\/span><\/a>\u00a0<em><span class=\"notion-enable-hover\" data-token-index=\"3\">of Conformio, the leading ISO 27001 compliance software.<\/span><\/em><!-- notionvc: 408569a6-34e7-400c-9f94-324b0e270aaa --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>There is one requirement of ISO 27001\u00a0that is very rarely mentioned, and yet it is probably crucial for the long-term \u201csurvival\u201d of an Information Security Management System (ISMS) in a company: this is the requirement from clause 5.1 that says that top management needs to ensure that the information security policy\u00a0and information security objectives are &#8230;<\/p>\n","protected":false},"author":26,"featured_media":10869,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,815,1576,1577],"class_list":["post-10868","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-top-management","tag-business-strategy","tag-strategic-direction"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10868","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=10868"}],"version-history":[{"count":3,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10868\/revisions"}],"predecessor-version":[{"id":103238,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10868\/revisions\/103238"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/10869"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=10868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=10868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=10868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}