A maturing Cyber Security Program is music to my ears.
Last week, I was assisting a client in a friendly audit of their readiness to certify to ISO 27001:2022. Ran a series of sessions covering each applicable control and allowing the client to demonstrate management’s assertion to the control objective and their evidence of its implementation. ISO certification readiness would end up being the sum of the parts.
Reminded me of learning to play the guitar in my youth. We started with playing a note, then progressed to playing a simple sheet of music at a slow rhythm. Eventually we progressed to chords (combinations of notes) and complex music. Never progressed to compose music – the artists and music teacher where my guard rails. Significant improvement was observed in the 6 months since I saw the client. Their music was getting better.
Effective consultancy approaches Cyber Security adoption the same way as learning how to play music. We start with picking the composer – the standards body that best matches the organization – in my recent client’s case – the International Organization for Standardization (IS0). Then we selected the specific sheet of music to manage Information Security – ISO 27001:2022.
The standard is not an easy read and requires Cyber Security advisory to set the table. A risk assessment scopes the controls to be implemented and a set of policies clarify management’s control objectives. The client is boxed in – so to speak. Become intimate with the policy and be ready to demonstrate how you have implemented the controls.
The composers of the standard did not cast a set of unrelated components. Maturity comes with the inter-relationships and cohesion. The set is more than the sum of the parts. The highest stage of maturity is when the organization does more than meeting the standard – the use of policy infrastructure to evolve cyber risk management capabilities.
If your organization is just starting the journey to adopt a Cyber Security program or wants to turbo-charge a legacy Information Security program to address the challenge of that cyber risk brings, we can help.