While thinking about what are the factors that might promote BPM and what may delay its adoption, a thought crossed my mind that probably if the whole information system in an organization is quite secure, and all members are convinced about it, adoption of ‘IT enabled Management’, that is BPM, might be quicker.
In order to create such an enabling environment, it is felt that the Standard ISO/IEC 27001:2005 for Information Security Management Systems may be considered for adoption by organizations.
The Standard, is issued by International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
The Standard adopts the P-D-C-A approach for establishing the Management System in addition to promoting process approach to information security management.
The standard incorporates the principles embedded in the OECD guidelines for information security. Briefly, these guidelines are regarding risk assessment, security design, implementation, management, and re-assessment.
The standard does not treat security as a ‘given thing’, but a subject that must evolve appropriate to an organization’s security requirements.
The following introduction with which the standard begins, tells it well:
“This International Standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of ISMS should be a strategic decision for an organization. The design and implementation of an organization’s ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization. These and their supporting systems are expected to change over time. It is expected that an ISMS implementation will be scaled in accordance with the needs of the organization, e.g. a simple situation requires a simple ISMS solution.”
The requirements include 32 clauses under 12 major clauses of requirements.
The 12 major clauses are:
- Normative references
- Terms and definitions
- Information security management system
- Management responsibility
- Internal ISMS audit
- Management review
- ISMS improvement
- Control objectives and controls
- OECD Principles and this Standard
- Correspondence between ISO 9001, ISO14001 and this Standard
For the convenience of our understanding the contents may be seen as:
- – informative part and
- – operative part.
The operative part further may be said to contain
- – core requirements and
- – supportive requirements.
It must be mentioned nevertheless that all clauses are important.
Under the core requirements of operative part the following requirements may be included:
- – General requirements,
- – Requirements for establishing and managing the ISMS,
- – Documentation requirements, and
- – Selection of Control Objectives and Controls (Annex A)
The clause, ‘Establish the ISMS’ (4.2.1) is central. The clause indicates what an organization should do. It includes the following:
- a) Define the scope and boundaries of the ISMS in terms of the characteristics of the business, the organization, its location, assets and technology, and including details of and justification for any exclusion from the scope.
- b) Define an ISMS policy
- c) Define the risk assessment approach of the organization
- d) Identify the risks
- e) Analyze and evaluate the risks
- f) Identify and evaluate options for the treatment of risks
- g) Select control objectives and controls for the treatment of risks
- h) Obtain management approval of the residual risks
- i) Obtain management authorization to implement and operate the ISMS
- j) Prepare a Statement of Applicability.
Though the requirements are given in certain order, in practice they would be taken up in certain other order for implementation as convenient.
In my view either a directive received from a regulatory authority with respect to information security may serve as a prompt or a person in the organization would initiate a discussion on the subject based on the trends outside and the prevailing anxiety in the organization with respect to security of Information System which is seen as hindering further progress, such as adoption of BPM. This may be considered as an opportunity for a BPX to take the initiative!
Such a discussion may, with people convinced of the benefits, lead to nominating a person as the Chief Information Security Officer and a Management Representative for the ISMS pursuit.
They may take up a preliminary review covering c), d), e) and f) mentioned above and establish the need and scale of security. This would be followed by the steps from a) to j) mentioned above and the ISMS would get established.
Eventually, it is hoped that, the ISMS would provide reliable security leading to quantum jump in usage of information system assets by all the persons in the organization. This also may be expected to improve the maturity of usage which in turn might make adoption of BPM a natural outcome.
About the informative clauses, supportive clauses, the control objectives and controls – next!