The InfoSec Blog
24Aug/11

The real reasons for documentation – and how much

he documentation required and/or needed by ISO-2700x is a perenial source of dispute in the various forums I subscribe to.

Of course management has to define matters such as scope and applicability and the policies, but how much of the detail of getting there needs to be recorded?  How much of the justification for the decisions?

Yes, you could have reviews and summaries of all meetings and email exchanges ..

But that is not and has nothing to do with the standard or its requirements.

The standard does NOT require a management review meeting.
Once again we have a failure in the standard to communicate the real issue. Its not so much clouding by means of acronyms as clouding by coving up the real purpose with superficial bureaucratic process. (Naturally this appeals to reductionist cultures and places like England
and India where bureaucracy is The Way of Life.)

The issue is NOT meetings; the issue is NOT minutes; the issue is NOT
consensus.

The issue is ACCOUNTABILITY.

Meeting and minutes are all a means to an end. It is that end --  ACCOUNTABILITY -- which really counts. Your powerpoint presentations, agenda, all that is just so much fluff.

If management wants the proverbial (q.v.) "Dancing Pigs" rather than security, then that's fine. Its management's business to make decisions about policy and execution. NOT YOURS.

They are the decision makers, they are the ones ACCOUNTABLE.

But come the day that the shareholders start screaming for blood, there has to be an accountability, and if you don't want to face the chopping block you had better keep records to show who is accountable for those those decisions.

THAT is the purpose of the minutes.

The meetings? In a way they are a form of 'dual control'. Hopefully there is not a large enough conspiracy so the people at the meeting cannot decide by fiat to spend on 'Dancing Pigs' rather than security, there will be dissidents and they can 'guilt trip' oth rs into more
responsible behaviour. Hopefully. Because you might have a strong personality that bullies everyone else into a consensus they don't  really want.

So the purpose of the meetings is to prevent one person (or a small group of people working 'out of band') to make decisions in a process that are neither visible not accountable.

So please don't obsess about the method.  There are other methods. Heck, in a small company this might be the owners, the CEO and CFO, husband and wife, engaging in 'pillow talk'. But there had better be a record in case of later dissent.

In my work with Policy Development I've seen a lot lot of confusion like this. People confuse POLICY with STANDARDS and PROCESS. Policy documents often omit the purpose of the policy, the benefits and purpose and reasons or compliance and the harm or risk of non-compliance.

It looks like we have another case of that here.

 

Posted by Anton Aylward

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.