Know thy business architecture
As a member of the C-Suite at your organization, you have the business. The products and services you put together are fuelled by your ideas. The business has a strong touch of you to it.
By way of example, your business may have its own app. It is like no other app in the whole wide world. Because it is yours. And it has a touch of you.
Get to know at an intuitive level, what your touch really is. That helps you understand what your business is all about. Develop a very, very clear idea of that X factor.
When you that, you can visualize what your business really needs to function. And that picture will be high definition. It will be one that you can rely on to know your business architecture. In other words, the technological juice your business is sustained on.
In fact, this is what ISO 27001 helps you with. It may look like a very rigorous standard, but all those clauses mean only one thing: when you are defining your business architecture, know how distinct your company is, first.
I'll give you an example. A company was a service provider that had digital networking as its main offering. They came up with an app that helped customers choose what kind of network they wanted and the company personalized the network for them through that app.
The company knew its uniqueness. That helped them get their ideas of their business architecture bang on, the first time.
You need to draw a line
Once you know exactly what your architecture comprises of, stick to it. Remember, that is the bread and butter of your business. It is prudent to strictly label anything more as an excess.
The reason is thus: With anything more that what is necessary, you are adding on to a pile of risks.
Excess equipment, for example, may lie around and can be used to draw information out of existing necessary equipment, and those files could end up being misused. Or it could be physically moved out of your premises and end up being a target for a ransomware attack.
ISO 27001 helps you with understanding the risk part of it. Additionally, you should declare your boundaries around what you need and what you really don't. Not only does it help you to simplify things, but also it helps you to establish the true core of your business at another level.
The digital networking company that I mentioned earlier had not only a policy, but also an unwritten, intuitive rule: Everything they needed, for instance, all the apps that the business used, either for themselves internally, or for customers, had healthy interfaces and were a cohesive unit working together. That way, it became easy to know what lay in the purview of the company and what did not.
And the cycle continues...
Ongoing management is necessary to ascertain two things at any point in the future: one, that you still carry forward what your touch means to the business, and two, that is just that and nothing else that your business thrives off.
This has another plus: The overall state of your ISO 27001 programme remains very much on track and it becomes easy to trace if it is still on track.
The digital networks company could maintain that cohesive, well oiled engine of its because of this very ongoing monitoring. The leadership at the company remained very much invested in the business architecture and thus were able to keep a very good watch on their risk profile.
Conclusion
No ISO 27001 programme is complete without the full support of business leadership. In fact, to get an ISO 27001 certification, it is important to demonstrate full business stewardship of the programme. Knowing your business architecture is always the first thing to ensure that the battle is half won. Sticking to it and avoiding excesses in an ongoing fashion is the other half of it.
Get going with our ISO 27001 courses !