Typically, ISO standards contain a clause dedicated to continual improvement, however, the concept of improvement is also either explicitly mentioned or implied in various other clauses and controls of the standards. The interpretation of these suggests that continual improvement can be measured in various ways.
Read or download our free extensive Guide to ISO 27001.
1. Internal Audits
Internal audits are one way in which your organisation can measure ISO 27001 Continual Improvement, whether you have a mature management system in place or you are working through your implementation. Evaluating your level of compliance with the requirements of the standard through internal audits will highlight areas of improvement and should also force you to formally record, assign and track remediation to a satisfactory conclusion, thus ensuring a high level of commitment to improvement.
If you are already running a stable information security management system, you will be conducting regular internal audits, whether the process is managed internally or is outsourced to a third-party organisation.
You may be thinking “internal audits and outsourced third party don’t belong in the same sentence” but it is a common misconception that internal audits have to be conducted by the organisation for the organisation. Indeed, internal audits can be outsourced to specialist companies, including Evalian – learn about our internal audit services.
Depending on how well your information security management system is maintained, you may fly through an internal audit with no findings, although more realistically, you can expect that the audit will identify opportunities for improvement and possibly non-conformities.
Organisations often worry about internal audits. In fact, these should be seen as a valuable tool to leverage management support, and potentially investment, effectively achieving a higher level of compliance through enhancements to your management system.
2. External Audits
External audits conducted by a UKAS accredited Certification Body can also help to identify areas for improvement as, like in an internal audit, the auditor will seek evidence of compliance with all clauses and controls. Where non-conformities or opportunities for improvement are identified, you may need to present an action (for which read ‘improvement’) plan to demonstrate how you intend to implement suitable remediation to still certify to ISO 27001, or indeed retain your existing certification.
3. Risk Management
The purpose of risk assessments is to not only identify risks to the organisation but to also evaluate the impact of those risks and determine what treatment may be necessary to reduce exposure, impact or indeed both. Arguably, the management of risks should therefore be viewed as a way to identify and implement improvements in the organisation.
A well-documented and well-maintained risk log or risk register will provide solid evidence of how your risk management methodology is being used to promote improvement.
4. Management of Non-Conformities and Corrective Actions
Non-conformities are a very helpful way to identify which parts of your information security management system may require improvement: not only because they lead to corrective actions being implemented which, by definition, improve the management system overall, but also because the standard requires that a root cause analysis be conducted to prevent a recurrence of the non-conformity. The ISO 27001 standard does not prescribe any specific method by which non-conformities should be managed and corrective actions implemented, however it does make it a requirement that a process to do so should be documented.
5. Management Reviews
Via mandated periodic management reviews, top management assesses the efficiency and effectiveness of the information security management system, reviewing standard agenda items to help highlight trends, issues or even gaps in the management system, thus providing an opportunity to discuss and agree on improvements and planning for their implementation.
ISO standards are rather specific as to what management reviews should consider. This includes, amongst other things, actions from previous reviews, the adequacy of key policies, changes in internal and external circumstances and to stakeholders (aka interested parties), feedback from customers, results of internal and external audits and business continuity tests, and, most importantly a reassessment of the organisation’s risk appetite and landscape.
By conducting minuted management reviews, top-level management can evidence their commitment to lead by example in enforcing a consistent application of the management system throughout the organisation, ensuring that any improvement opportunity is carefully assessed, recorded, and implemented within agreed timeframes.
6. Information Security Objectives
Where an organisation will typically use their ISO 27001 continual improvement plan to record and track short to medium-term improvement activities, medium to long-term goals are often logged separately.
This is because they tend to be strategic, rather than tactical objectives that may potentially affect operations across several parts of the organisation, and also because they may require significant investment in resources, time, and funding.
Agreeing to SMART objectives may also enable trending and the monitoring of objectives over a lengthy period of time, thus providing valuable information as to the usefulness of the objectives and the effectiveness of their implementation.
Training is essential in ensuring that everyone within the organisation has the appropriate knowledge, skills and competencies to understand and manage information security in the context of their role.
In our opinion, training should aim to:
- Present the ISO 27001 standard and its key requirements to help put the various policy components of the information security management system into context;
- introduce new and revised policies to employees and remind them of existing ones;
- re-iterate the consequences of non-compliance;
- ensure that employees are clear on their roles and responsibilities in relation to information security, and on their involvement in the support of the information security management system.
Achieving the above will help the organisation promote consistency, which in itself should improve how it operates and deliver.
Training should be delivered to all new starters systematically, and to all employees at least on an annual basis to help embed information security within the culture of the organisation. Management should also consider it appropriate to deliver training to non-permanent employees, or at least tailor the training to the requirements dictated by their role.
8. Security Weaknesses, Events and Incidents
Let us first remind ourselves that information security weaknesses and incidents are not just IT-related: they may highlight an HR screening process that is not comprehensive enough, an unreliable intrusion alarm, or disadvantageous contractual agreements with suppliers.
Having appropriate controls in place, whether manual or automated, to identify, report on, and investigate security weaknesses, events and incidents do without a doubt lead to supporting continual improvement.
If carefully formulated and properly implemented, such controls should encourage employees to take a proactive approach to the management of security weaknesses and incidents, whatever their nature, by recognising weaknesses early and hopefully before they escalate to incidents. This should give the organisation time to investigate and address symptoms, and hopefully conduct root cause analysis to prevent further occurrences.
9. Compliance Reviews
ISO 27001 continual improvement may also be achieved through the identification and monitoring of legal, regulatory and contractual obligations that may be relevant to the organisation. By keeping itself informed of legal and regulatory requirements, either directly or through specialised service providers, the organisation will protect itself from unwanted scrutiny, potential fines and other financial penalties, but also from reputational damage. Similarly, by monitoring its delivery against contractual and service level agreements the organisation will also avoid potentially costly penalties.
Where breaches do occur, the continual improvement process should ensure that these are remedied as soon as practicable and that measures are implemented to prevent a recurrence.
10. Improvement Plans
Creating and maintaining an ISO 27001 continual improvement plan is a very helpful way of logging and tracking improvement actions within your organisation.
The format of the improvement plan is unimportant as long as it works for you. Whether it resides in a simple spreadsheet or a fancy tool, ultimately its main purpose should be to provide a one-stop shop for all identified improvement actions, whether these originated from incidents, audits, business continuity exercises, document and process reviews, or employee suggestions.
To be effective, all actions should have an owner, a target review date and a target completion date. Actions should be periodically updated and should be documented as opportunities for improvement or non-conformities. When an opportunity for improvement is closed, the implemented remediation should be recorded. When a non-conformity is closed, the evidence of a root cause analysis should be documented to demonstrate that measures have been implemented to prevent a recurrence.
Click the image below to download your FREE handy guide for tips on ISO 27001: 10 Ways To Continual Improvement.
If you are thinking of gaining ISO accreditation, we’re here to help wherever you are on your decision path. We can help with an initial workshop, carry out a full gap analysis, support your ISO project or manage your management system for you.
If you’d like to understand more about our ISO services, we’d be delighted to hear from you. You can find out more about our services here.