OK let’s debunk some myths!
“This is an IT job”
This is not how to view the process because security is everyone’s job – for example everyone needs to protect his or her laptop
“It’s all about writing policies and procedures”
No – the point is not in writing documents, but in applying them in practice – e.g., if the procedure says that backup needs to be done daily even for laptops, then this is something that everyone needs to do.
“We’ll get lost in all those documents”
You won’t because we will write only the documents that are really needed – we will try to keep the number of documents to a minimum. You will also have the final say over the documents before they are published.
“ISO 27001 will only make our job more difficult”
This standard may require some new things from you, but it will help you with other things. For example, implementation of ISO 27001 will decrease the number of IT incidents, meaning that employees in the IT department won’t have to lose time on resolving those incidents. Furthermore, it will decrease the chance of someone abusing your account and performing fraud (for which you could be held accountable).
“It will be implemented in 2 months”
Implementation of ISO 27001 requires changes in behaviour, and we cannot make several changes at the same time (imagine if we published 20 new policies and procedures in a single day). This is why documentation should be introduced gradually.
“We do it only because of the certification”
Certification is one of the goals, but not the only one. Cultural change and embedding a culture of IT security within the organisation is the ultimate goal.