Continual improvement of an ISMS (or any ISO management system) should always yield results for the organization.
But what does “continual improvement” under ISO 27001 look like?
If you’re meeting the management system requirements and implementing all required controls, what actions should you take next to demonstrate a commitment to continual improvement?
Overview of Clause 7.2
Clause 7.2 is a natural fit for continual improvement. It describes the requirement to ensure competence of resources supporting the ISMS by addressing them effectively.
Adjusting your approach to Clause 7.2 not only demonstrates a commitment to continual improvement, but also helps position your organization to meet security objectives, address change, and maximize return on security investment.
The basic requirements of Clause 7.2 are to:
- Determine required competencies for the ISMS
- Assess competency present in the organization
- Oversee the remediation of any competency gap
Note that this clause is the same for ISO 27701, ISO 22301, and ISO 9001, reflecting the core importance of competence to the success of the relevant management system.
Organizations implementing an ISMS for the first time can often leverage existing procedures to demonstrate a minimum level of compliance. More mature organizations, however, may benefit from a rigorous approach to Clause 7.2.
Implementing Clause 7.2
Let’s break out the three steps above into more detail:
The first requirement of Clause 7.2 is to determine required competencies for the ISMS. Job descriptions, for example, are a great start. However, Clause 7.2 is ultimately looking for a more strategic approach to competency. This often starts with a formal process to identify the key skills for the success of the ISMS.
During this process, organizations may interview various stakeholders and hold brainstorming sessions to define the most important competencies. This analysis should be comprehensive and include technical skills, soft skills, business skills, and more.
It should also reflect the priorities of the various skills.
Assessing Current Competencies
After determining the required competencies, you are ready to assess your organization’s current skills.
Employees and stakeholders will evaluate their current competency level in the areas defined above. The assessment may be performed through a combination of interviews, management assessments, self-assessments, or third-party tools.
The output of the assessment will help you identify skills gaps that should be addressed. Gaps may be treated in a variety of ways. Some gaps, such as lack of technical skills, may be best remedied through the completion of training.
In other cases, a mentor or coach can help the employee develop in a particular area. The assessment may also identify a need to hire additional resources.
Each step should be documented. Typical audit artifacts include a library of required competencies, a current skills inventory (self-assessment or independent assessment), and individualized training plans for relevant individuals.
Benefits of Adoption
Clause 7.2 falls near the tail end of the “Plan” portion of the ISO 27001 framework. After addressing competencies and resources, the next section of the framework focuses on “Do.”
Consideration of competency in conjunction with other elements of ISMS planning helps ensure that resources are adequately trained to meet the current security objectives.
In addition, a strong approach to Clause 7.2 helps organizations strategically adjust to change. While job descriptions and security awareness trainings are important tools for acquiring competencies, these tend to stagnate and fail to address changes to the organization or the external environment.
Organizations that frequently assess required competencies during the planning process can ensure that the personnel affecting information security performance are attaining skills that will match the changing environment.
Finally, investment in competency recognizes that people are at the heart of the success of your ISMS. In the information security universe, there are endless lists of tools that can automate functions, enhance security, and generate information to protect information assets.
However, the successful operation of these tools depends on the people implementing and managing them. The value you will realize from these tools, and ultimately your ISMS, depends on the competency of these individuals.
How can your organization benefit from taking a deeper dive into this area?