After introducing the standard and its structure in the previous article, today we'll begin to "run" the PDCA cycle, starting, of course, with the Planning phase. The standard has a well-organized structure, but I'll take the liberty to begin our discussion from requirement "5.1 Leadership and Commitment."
And why start with this requirement? Precisely because an Information Security Management System (ISMS) will only achieve its objectives with the Support of Top Management. It's no coincidence that I've mentioned before that Top Management needs to act like "parents."
Top Management must demonstrate its leadership and commitment to the ISMS. But how can this be done?
Information Security Policy aligned with the company's strategy (Requirement 5.1 "a)," "b)," and "h)")
The High-Level Information Security Policy, which we will still see in this planning phase, is the most suitable place to formalize the objectives expected by Top Management to be achieved with the ISMS. These objectives must align with the company's strategy.
Obviously, Top Management won't stop to write this Policy, but you and your team, after creating it, should present it in a meeting where, at this moment, they can assess if it meets expectations. Thus, together, they will arrive at a final and ideal version of the Policy for the company.
Provision of Resources (Requirement 5.1 c) and 7.1)
The resources needed to establish, implement, maintain, and continuously improve the ISMS must be ensured by Top Management. Therefore, in that budget planning for the upcoming year, where each area's managers present their needs, is the moment when the amount of money will be "set aside" to invest in new technology, employee training, or hiring new resources for any of the teams throughout the year.
Of course, the planning may not necessarily go exactly as planned; along the way, some new needs may arise, and the possibility of investment will be analyzed in the same way.
Ensure that the ISMS achieves the intended results (Requirement 5.1 "e)")
Strategic meetings, manager meetings, committees, or Critical Reviews are examples where Top Management's participation is essential to provide direction, ensuring that the ISMS is achieving the expected results as described in the High-Level Information Security Policy.
Communication of the importance of the ISMS (Requirement 5.1 "d)," "f," "g")
Whenever there are those general meetings involving the entire company, it's a good time for Top Management to encourage everyone to engage and respect all ISMS policies, norms, processes, and procedures. After all, people, the human factor, are responsible for handling and processing information daily and need to feel part of the whole and understand their responsibilities with the company's and clients' information.
I mentioned general meetings as an example, but this can be done through any other means. It's important to remember here that ISO is not prescriptive; therefore, it only states what needs to be done, and how to do it is up to you and your company to decide.
Now that we have the support of Top Management, we need to move on to formalizing the Organization's Context, which involves the entire Requirement 4. But, we'll do that in the next article.
Until then!
: )