Embedding a security governance culture in your organisation

In May, we were recommended for certification to ISO/IEC 27001:2022 – the international standard for information security management.

We’ve had our quality system certification (currently to ISO 9001:2015) for coming up on fifteen years, so we were well placed to prepare for and attain this certification.

Our main driver for going through the certification process was to be visibly following security best practice. This gives all our stakeholders assurance that we take security seriously. We provide security-related consultancy to many of our clients and being able to show that we also contend with these risks and that it's a key consideration for our own business really aligns our priorities with theirs. Our people also know that we value their information that is entrusted to us.

The beauty of the standard is that you can tailor your security controls to be the right fit for your organisation. What you offer, what information you handle, your place in the market, who your people are and the specific risks you face.

In the spirit of continual improvement and knowledge sharing that we have embraced through this project, we wanted to share three tips for any other companies thinking about improving security governance and maybe pursuing certification to the standard.

Before you start and commit any resources to the project, you want to ensure that your company leadership are all on board and understands what operating an information security management system looks like - because this touches everyone in your organisation. This is not an IT, facilities or compliance project. If you are doing it properly, all people and information within your agreed scope will be impacted – the impacts are overwhelmingly positive but it will take some time and commitment to achieve the outcomes you want.

Secondly, securing ongoing buy in and commitment drives a lot of what’s next. For us, that looked like separating out our security governance activity from our usual wider leadership team calendar to ensure it received increased leadership focus and scrutiny, and establishing a dedicated security governance board. We have representatives from all areas of the business to ensure we have a live view of all the risks and business priorities to inform our risk assessments, objectives and planning.

The third thing is to get everyone else on board! If you wield risk controls like a weapon and take a punitive approach for any transgressors, it can be really easy for people to get disengaged. An effective message here was that security is to help them do their job confidently and the controls are your organisation ‘having their back’ while they do. Keeping the messaging positive and assuring that we trust our people with information security makes it feel like a team effort. This carried over into our certification audit where our team – ‘business users’ who do not have key security responsibilities - willingly stepped up to talk about security to our certification auditors and were able to explain what it means in their role.

It is truly everyone in head office's certification and we’re all genuinely proud to have been one of the very first organisations that were certified to the 2022 version of the standard.