The IT Governance Consultancy team has got together to provide some top tips for implementing and improving your management system, whether it be focused on information security, business continuity or some other discipline.
1. Get management commitment
Senior managers have to get on board – they have got to ‘walk-the-walk’ as well as ‘talk-the-talk’. Management at all levels should be there to help and not act as a deterrent. This means being committed to the project from an informed position – understanding what pain is going to be involved as well as signing up for the benefits.
2. Create a detailed programme schedule and review it regularly
Define an appropriate timescale and allocate sufficient resources for the project which will not over-stretch individuals within the team. An unrealistic timescale is likely to result in failure, but equally an overly generous one may result in a lack of urgency and focus.
3. Ensure you have the right team members
When building your Project Team, ensure it contains the appropriate members. Source the appropriate team members and where possible remove individuals who pose the greatest resistance to change.
4. Secure active collaborators for your management system, across all parts of the organisation from the start
Experience shows that when people are introduced to a new, ‘extra’ thing that they have to do, there is a direct relationship between how early in the process they are involved and how well they collaborate and contribute. Business continuity management, for example, is often misunderstood not only when first introduced, but during the first year or two in its attempt to become a real part of the organisation.
Early buy-in is critical and without enthusiastic collaborators from every part of the organisation, the resulting business continuity arrangements won’t truly reflect what will be needed if, and when, a real incident happens.
5. Integrate management systems for greateset economy and effectiveness
The management system is arguably the best known way of creating and maintaining a control mechanism for both risk based and ‘business as usual’ disciplines in any organisation. Many British and ISO standards are either structured in a very similar way to those that are called ‘management systems’ or are eminently capable of being adapted either as a standalone system, or better still as part of an integrated management system.
The main challenge, and ultimate goal, is to integrate them into business as normal!
6. Ensure effective third-party management
Ensure ‘suppliers’ are appropriately managed with a particular focus on those services offered from sister/group companies which may be outside of the certification scope (i.e. Group IT, Group HR).
7. Keep the internal audit schedule up to date
This ensures you will stay on top of the system, demonstrates management commitment and stops you burning the midnight oil just before the next certification body visit.
8. Be aware what’s happening inside your organisation
Remember, not only do internal and external audits generate corrective actions and improvement,they can come from anywhere: security incident, non-conforming product, staff suggestion, customer feedback, risk assessments, management and team meetings. The more actions that are noted, the more management are aware of what is really happening inside their organisation – it is better to know!
9. Be a good general – don’t shoot your messengers
Bad news will come – be prepared for it, accept it and move on. Don’t try and blame anyone – figure out what needs to be done and get it done without blame.
10. Focus on outcomes when addressing non-conformities
When taking Corrective Action and Preventive Action,try to focus on outcomes (much like HM Government’s Better Regulation Executive encourages with respect to regulation), rather than a tick-box approach to compliance. This means using training, education, staff awareness and performance management to address isolated areas of weakness, as opposed to defaulting to changing a policy, procedure or worse a checklist in isolation.
11. Finally, if you see a risk or suffer a data breach, seize this opportunity to encourage change
An organisation that is in pain – even small pain – is an organisation that will change. The window of opportunity is small. Why not use your latest data breach (or near miss), however small, to encourage investment in certification to the ISO27001 standard. This is the time for you to get real management commitment. Undertake ISO27001 training so as to either avoid the next (larger) incident, or manage it faster and with less risk to reputation.
If you want more help with any one of these tips, or any other aspect of your compliance/certification project, simply call IT Governance on 0845 070 1750 to find out more about our resources ranging from free advice, books, toolkits, training and consultancy.