Beyond ISO 27001 – Responsibility, Authority and Accountability.

Nobody doubts that ISO 27001 is a great blueprint for information security management and goes a long way towards codifying industry standards. But, as a set of specifications last updated in 2017, does it still really inform best practice and present the true cyber risk appetite of an organisation? Or does it mask the true cyber posture of an organisation by confirming they have a risk management process rather than review the actual cyber risk they are prepared to accept.

Given the ever-changing dynamic of cyber security, it is time for industry professionals to interrogate businesses across an additional subset of cyber management and policy questions. These must be framed  to determine who has responsibility, authority and accountability in the case of cyber risk. Otherwise are current industry standards merely creating a theatre of cyber security.

Who in the organisation owns cyber security?

Ask most business users ‘who owns responsibility for cyber security’ and the answer will almost certainly be ‘IT’. Without doubt, cyber security is something any business would expect its IT department to understand and provide.

But what is the responsibility of the IT Manager? Is it simply data protection and systems compromise, or does it run through a spectrum of risks that include regulatory consequences, reputational damage, and the risk of significant costs? Does ISO 27001 answer these questions?

Who in the organisation owns the authority to frame policy?

All businesses have IT policies. But few IT departments have input into framing broader business policy. One of the issues with any cyber security audit is getting those people in the room who are stakeholders in the business at large. Not just in terms of the pain and time consumed in the case of data transgression, but the ‘on costs’ in terms of reputation and regulatory risks.

Issues of policy are ‘business at large’ concerns, almost certainly above the pay grade of the average IT Manager. Yet it is straightforward for an IT department to meet the ISO 27001 requirement, without the bigger questions of who holds the authority to determine the implications of cyber risk or data breach to the broader business being asked.

Who in the organisation owns accountability for cyber risk?

The biggest question that any industry professional has to determine, when carrying out a cyber security assessment, is who is accountable for the business appetite for cyber risk? When all aspects – reputation, regulation, remediation and costs are considered, with whom does the buck stop?

To truly assess risk the most important thing to ask is whose risk is it? ISO 27001 might ask how a business is prepared for risk, and how it might respond to it, but does it get to the heart of who is truly accountable if push comes to shove. More importantly do they understand the implications of their accountability?