My company was certified ISO 27001. But because of a bad implementation of my predecessors (previous InfoSec team): an ISMS not in line with IT teams and other business departments. Top management has stopped the certification process. Now, I'm struggling to put InfoSec in a good position in the organization and I need to relaunch security awareness from scratch. I hope that one day I will be able to push again for an ISO 27001 certification.
I should write a post about it. Because definitely a bad ISO 27001 certification project, totally outsourced, with the sole objective of obtaining a marketing advantage, can be a real waste and be really counterproductive for infosec teams.
If you have any ideas for restarting an ISMS project from this kind of situation, I will be grateful.
Answer: To restart an ISMS project after such problems you should focus on solving problems the affected areas are currently undergoing (e.g., low performance on KPIs, unplanned downtime, rework, non compliance fines, missed deadlines, etc.), by means of quick implementation of controls based on solid risk assessments (and less focus on the other elements of the management system).
It may seem odd to start like this, but the point is to try to regain top management commitment and people's trust in information security (few but effective controls will help you with that), and only after achieving that you should try to demonstrate that in the long run the gains can only be maintained with the help of the other elements of the management system (e.g., in internal audit, management review).
This article will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/