The InfoSec Blog
29Jun/12

Control objectives – Why they are important

http://blog.iso27001standard.com/2012/04/10/iso-27001-control-objectives-why-are-they-important/

Let us leave aside the poor blog layout, Dejan's picture 'above the fold' taking up to much screen real estate. In actuality he's not that ego-driven.

What's important in this article is the issue of making OBJECTIVES clear and and communicating (i.e. putting them in your Statement of Objective, what ISO27K calls the SoA) and keeping them up to date.

Dejan Kosutic uses ISO27K to make the point that there are high level objectives, what might be called strategy[1], and the low level objectives[2]. Call that the tactical or the operational level. Differentiating between the two is important. They should not be confused. The high level, the POLICY OBJECTIVES should be the driver.

Yes there may be a lot of fiddly-bits of technology and the need for the geeks to operate it at the lower level. And if you don't get the lower level right to an adequate degree, you are not meeting the higher objectives.

Why do I say "enough"? Well that gets back to the issue of 'reality'.  They say no plan survives contact with the enemy and that engineering is the art of the possible. Engineers probably have to make more compromises than politicians! The reality of any business is that things never go 100% the way you want. You just have to make sure there's enough 'slack' in your plans that you can lie with what you can achieve and adapt to changes. isn't that what "management" is about?

But without starting from and keeping continually in mind those higher level objectives you can't work the lower-level. There should be a modern version of the 'kid in a candy store' idiom to do with the geek-minded let loose with the candy-store of technology that can be downloaded for the 'Net, both FOSS and limited-use demo. Lots of activity, but without the clear SoA it gets back to ...

Well is there any other single word for something that means 'unproductive" and "self-indulgent" that doesn't have sexual connotations? Yes, I know many people have put further education in the Arts into that category, but beside that. I agree with Aristotle that wile the kind of public education that Sparta has was good in principle its limited focus - militarism - was not. Just so, if we give up on research we loose out. Think, for example, what totalitarian regimes (you know the ones I mean without me hitting Godwin's Law) would have treated "cripples" like Stephen Hawking and other such people who don't actually produce anything: no patents, no improvements. Granted that people like Fredrick Winslow Taylor had a very limited view, one that would mean that if a worker realised that by re-arranging the shop floor layout or by altering the work rotas productivity could be improved that wouldn't be allowed[3].

All to often the "What gets measured gets managed” works the other way round, gets applied bottom-up rather than top-down, and de-couples from the SoA - if there was one. Things get measured because they can, not because they have value in managing to meet the SoA. I'm sorry to say that many people who can only think in terms of numbers, the archetypal 'freshly minted MBA'. And some people never let go of their obsession with 'by the numbers'.

Does what does this all add up? Any really good manager will tell you that success is not about focusing on the numbers, the technology, the "market", but about people. Perhaps a good tongue-in-cheek example of this is in the movie "Kinky Boots". Any number of business success books give other examples, but one thing that they make clear: in order to deal with people you have to have clear objectives. Yes, they may have to be revised (see above about military plans), but you are not going to get people - be they investors, employees or customers - committed, and as some writers put it when talking of companies like Apple, "deliriously enthusiastic", of you can't communicate the SoA.

[1] "Decrease the number of information security incidents by 50% in the
next year", or "Get at least 5 new clients in the next year because of
the ISO 27001 certificate", or "Decrease the security incident costs by
70% in the next year".
[2] ‘We want our firewall to stop 100% of unwanted network traffic’
[3] And that applies as much today for white-collar workers as it dis
for blue collar workers a century ago. Examples on request.

Enhanced by Zemanta

Posted by Anton Aylward

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.