"Continuous improvement is the only cultural value that could unify an organization as large and diverse as ours.”
—Anonymous
This final chapter discusses continual improvement. Is continual improvement needed when you have implemented the ISO 27001 standard controls and have been audited/certified by an external certifying body? The fact is, your duty is not over once you are certified. Many organizations don’t focus on further improvements or stop adding to the scope areas that were not identified in earlier implementations once they achieve certification. They assume that the normal controls have been implemented and this will help safeguard their company’s information security.
The plan, do, check, and act principle, mentioned in the previous chapter, states that your focus should always be on checking and acting. This will help you maintain the information security management system that you established after so much effort and time.
How does “check and act” help? Regular checks on security controls and their associated policies and standard operating procedures are the key. You must remember that there is no shortcut to achieving this. These checks will tell you where you still have gaps. Once you identify the gaps, it is time to act. That means working on improvement, which is a never-ending cycle.
Let’s first consider where you’ll learn about possible areas for improvement.
Areas of Improvement
Many organizations struggle in this area, as they don’t know how to identify the improvement areas or who will work on them. Once the external audit is completed, you receive the audit report. It tells you about the gaps/improvement areas and the organization’s strengths.
Hence, you can start from that report and identify the areas of improvement.
Monthly KPIs/Reports
These monthly reports always have something to tell you about the health of the system/controls and whether there are areas of concern. Once you start analyzing them, you’ll recognize consistent improvement areas. This is the fastest way to identify improvements, as you get these reports on a monthly or bi-weekly basis. Although it may not be possible to identify improvements every month, these reports provide a path to doing so if needed.
Employee Observations
Employees use the system daily and usually observe everything around them. They can share issues they observe, which you might never think about. Their eyes can see which you cannot.
Employee incident reports are one of the important sources of improvement areas. These reports show loopholes in the system, whether they are small or big.
Note
All employees, including new employees who joined the organization recently, must be made aware of the practice to report incidents whenever they observe them.
New employees bring experience from previous employers in the way of best practices, tools/technologies, and so on, which they think could be followed at your company. Providing new employees the ways and means to share this kind of information to the security team is important. This should be included on the improvement tracker form.
Tip
Employees whose ideas for improvement are incorporated could be awarded in some way. This might motivate other employees to share their ideas, which in turn could benefit the organization more than the reward paid to the employees.
Periodic Internal Audits
As important as the external audit is, periodic internal audits are equally important in terms of identifying improvement areas. The external audit focuses on continual improvements only and not on finding faults with the people/system. The periodic audit cycle also tells you what is working and what is not, whether it’s time to change the process or something that has not been followed for a long time. These gaps could be due to many different reasons. If you drill down to the important root causes, these are likely the improvement areas.
Management Review Meetings
During management review meetings, management/steering committee members will often share areas of improvement when they’re reviewing the business objectives/goals. Any improvement identified in this setting should be implemented.
Customers/Clients
Looking critically at your clients’ processes, tools, and systems, you could come to understand any area that poses challenges in safeguarding client information. If you drill down to the root cause of these issues (whether you lack skill and or you have not used such tools/systems before), you’ll see this is an important area of learning.
New Tools/Technology
When a new, pertinent technology/tool is launched in the market, it becomes important to explore it. You need to determine whether it would be useful to the organizations you serve.
Your clients may expect you to have experience with these new technologies. Hence, your organization must review them on a timely basis and determine whether they are useful to invest time and money in them, in order to keep the organization on par with its competitors. If you are investing time and resources in this approach, it becomes part of the improvement implementation.
Regulatory/Governmental Laws
Any law mandated by the government must be adhered to; this cannot be avoided. You must consider not only the local laws but also any international or country laws where your clients are based. Otherwise, they cannot accept the products or services provided by the organization. Hence, whenever new laws are published, they must be analyzed. Any security controls implemented around them to safeguard information must be identified as part of the improvement tracker.
There could be many more sources from where you can get the improvement areas identified. This list is a starting point to help you to think about and find sources. Your long-term goal should be to maintain and improve the information security management system to the benefit of the organization.
Execution Plan
Once you have identified your actionable improvement areas, it is time to go ahead and implement them.
The main responsibility of the information security team is to collate all the gaps/improvement areas on the improvement tracker in order of priority and target dates. It would be difficult to work on all the improvements at the same time. Because of that, it’s better and recommended to sort them in order of priority and based on the ones that could affect the business objectives/goals and might impact the business’s reputation.
Once the improvement tracker is updated, it must be reviewed with management, as it’s possible that more improvements could be added or removed, or the priorities could be changed.
The tracker/plan should forecast out about six months. Longer than that and it might lose importance or visibility. Issues are easier to track when they have a shorter duration. It is important to track the progress of each improvement and communicate the status to all on a periodic/planned basis. If there are issues, discuss them with the stakeholders as soon as possible, so that they don’t grow to become a bigger issue later in front of management.
Pilot the Improvement First
It’s very important to test-pilot the improvement first, as you cannot safely implement an improvement before testing it, especially if it is related to tools or technology. You need to know its impact on the system or the users. Plan a pilot, execute it on a small group of users or systems in a controlled environment, record the results, and carefully analyze them.
Once the test passes without incident, you can roll it out in a planned manner. It’s still advisable to monitor it for few more weeks or a month, to verify that everything is running smoothly. Users must know that the rollout is happening so they can report all problems or incidents to the information security department. The goal is to rectify the problems as soon as possible so there’s no disruption in business processes.
Measure Success
The success of the implementation is also measured in terms of which benefits an organization has achieved, and this must be regularly communicated to the management/steering committee. Most improvement areas take time and money to fix, and management is interested in knowing the benefits of those changes or what ROIs (return on investments) are attained.
Hence, the information security team must collate numbers from their improvement tracker and present them (with the benefits achieved) to management. This presentation can be done quarterly or twice a year, as there should be a good amount of progress at those intervals.
During this time if you do not make progress on some of the improvement areas, the information security team should take the blame. Don’t try to blame other members from various teams who were supporting you. Even though it is the responsibility of everybody to give their efforts toward securing the information of the organization, the responsibility of implementation is still on the information security team, as they are the driving force making the improvements.
Figure 10-1 shows a sample improvement plan tracker template.
Sample improvement plan tracker template
You should refrain from the blame game, as this can spoil your relationship with other teams in the organization. This is not good in the long run, as the information security team might not get the support needed to implement new improvements. Instead, focus on creating a win-win situation, with all employees working for the benefit of the organization.
Organizations can create, customize, and tailor their tracker templates. They can be created and maintained quarterly/half-yearly/yearly. It will help the implementation team to know how many improvements were implemented during a certain period and how much time on average it takes to implement one improvement. This data will help the teams analyze the progress made so far.
Performing Regular Audits/Reviews
After implementing the improvements on a regular basis, the audit becomes an important exercise, as it will also help you assess whether improvements have helped the organization and will continue to do so in the long run. You want to determine whether it’s sustainable and whether these improvements have given birth to new opportunities for new improvements.
The audit also becomes important because it allows you to look at the practices followed by your vendors who work for your organization. These vendors deliver secure products and services to your organization clients/customers. Hence, regular audits will help your vendors identify their gaps, many of which they might not be aware.
From the vendor compliance perspective, it also becomes important to do regular vendor risk-assessment exercises. These exercises will help you ascertain whether the security controls implemented by the vendor are enough to protect not only your organization information but also your clients’/customers’ information. Any information security breach, however small, could impact the organization’s brand or image.
When your project or contract with the vendor is completed, and your organization no longer needs the vendor’s services, you need to conduct an audit at the vendor site to ensure that their systems do not have you or your client’s your confidential information stored on their systems/machines or in documents on paper.
This should be part of your contact with the vendor—that your organization has the right to conduct an audit/review on a regular basis. Also, if your organization finds any discrepancies in the processes or the terms of the contract are not fulfilled by the vendor as mentioned in the contract, you have a right to conduct an audit. This will remind the vendor that they need to abide by the terms and conditions of the contract. They then understand that any compliance issues could lead to a penalty or contract cancellation.
Audits could also become important at your organization. Your client/customer might request an audit of your organization processes or office premises before awarding the project/contract to your organization, in order to check whether enough security controls are implemented to support them. Your client could also do those audits midway through the project if they find discrepancies in your processes in terms of securing their information. Hence, to be ready for such scenarios, it is important that your organization conduct internal audits/checks reviews regularly.
Summary
This last chapter focused on the importance of identifying ongoing improvement areas after the external audit certification exercise. It covered the various sources you can use to identify needed improvements, what your execution plan should be to implement the improvements, and why you need to conduct regular audits/reviews. All these steps will help maintain the information security management system in your organization and help you attain greater benefits in the long run.
This chapter concludes the book. It’s our hope that this book has not only given you theoretical knowledge, but also provided many tips for managing your ISO 27001 audit successfully.