1- How to identify internal issues?
- Get the right people in a room or on the phone and start the conversation!
- Identify interested parties, set a scope, document your objectives, build an asset inventory and do information security risk analysis before developing suitable policies and controls in line with the Statement Of Applicability.
2- Examples of internal issues:
2.1- Information as assets that are internal issues affecting ISMS outcomes:
What information is created, handled, stored, managed and of real value for the organisation and its interested parties (in line with the stakeholder analysis you’ll do for 4.2 next)? Personal data, sensitive customer ideas and IPR, financial information, brand, codebases etc?
This is right at the heart of the ISMS where the information assets are the foundation for everything else – identifying these assets early on also makes the information asset inventory management easy for A8.1.
Then consider potential issues around the information itself – in particular confidentiality, integrity and availability, taking into account the other areas below as you go for triggering ideas of where the issues might be found.
2.2- People related internal issues that might affect the intended outcome of the ISMS:
It’s no surprise that human resource security is an important part of the ISMS, indeed Annex A 7 is devoted to it and all the subsequent policies, controls and management is likely to be with people in mind, both internal employees as well as external resources like suppliers.
2.3- Organisational internal issues affecting ISMS outcomes:
As an example, fast growth brings issues of staff and structure that might affect understanding and knowledge of the policies, or that things change so quickly you can’t easily bottom out detailed and consistent processes.
Are there organisation leadership and board or shareholder pressures that will cause issues (these can be positive as well as negative)? International operations will have different cultural norms for the people involved.
Another internal issue associated to people and the organisation might be about the fact you don’t want many of them employed or struggle to find good ones so rely instead on outsourcing. That brings a need for suppliers (and staff in the suppliers) so that’s an issue to tie in with the interested parties analysis you’ll do in 4.2 next.
2.4- Products & Services internal issues that might impact the ISMS outcomes:
What are the products and services delivered by the organisation and what sort of issues emerge around that which might cause information risk? For example, if the organisation is an innovator and IPR protection is important for product leadership, it’s an issue that needs consideration in the ISMS.
If the organisation relies on large physical property e.g. as a manufacturer that will probably bring more physical security issues, whereas a small cloud software provider might be much more focused on issues like IPR protection from digital hackers and the issues surrounding dependency of their product success and assurance on hosting suppliers etc.
2.5- Systems and Processes as internal issues that affect the intended outcome of the ISMS:
People often think about computers and digital technology when the ‘system’ word is used. However manual and paper-based systems are also key areas for issues to emerge so remember to consider those for issues too.
Each of the areas bucketed above will have systems and processes involved in it – that might be implicit (we have always done it that way and never documented it) or could be wrapped up in a mass of documentation that no one could ever follow…….having considered the IPOP areas above, think about the systems and processes internal issues around them – for example if you are hiring staff regularly but don’t have a formal process and systems that demonstrate evaluation and screening from an information security perspective, you have an issue (not least because Annex A7 of ISO 27001).
An issue is that you might be hiring people that are going to become the enemy within, either through ignorance of information security or because they are a saboteur and you never considered that. It’s the same with all the systems and processes across the organisation that are in scope for information assurance – what sort of issues emerge where confidentiality, integrity or availability of the information might be at threat?