When it comes to cyber security, quality professionals often struggle to define their roles.
Do they have responsibility, or is it the Chief Information Officer's job - if their business even has one?
In other words: who does what?
Clearly defined and understood responsibilities are key for functional cyber and information security - so it's worth taking the time to get your colleagues in position.
This starts with identifying exactly what needs to be done.
Cyber security is flexible
ISO 27001, the information security standard, was designed to apply to businesses of all sizes and sectors.
As such, it doesn't mandate that a business assign a chief information officer, or even an information security officer, since small businesses may not have the need (or budget) for one.
And because of that, it doesn't mandate a specific 'cyber security' job role with designated responsibilities.
This consideration of how businesses vary has made cyber security management a fairly flexible practice. It is up to your business to decide how best - and who is best - to manage your cyber security.
The first question is: who decides?
The Annex SL framework common to all modern ISO standards emphasises the importance of leadership demonstrating commitment to the quality agenda - and ISO 27001 is no different with regards to securing your business's information streams.
So responsibility for choosing your cyber security team rests with your senior business leaders, right up to board level.
The second, and most important, question is: how should businesses decide?
Start by breaking down what exactly cyber security entails.
This will allow you to identify the personnel best suited to each component of your cyber security, and pinpoint what sits within the quality department's responsibility and what does not.
View cyber security as an interlocking set of practices, policies and plans, not just a box to be ticked by one member of staff.
The ten pillars of cyber security
Good cyber security processes will touch every corner of your business.
Documenting where and how cyber security will be enforced will let you designate the right person for each area.
Here are some of the key cyber security activities and sub-activities.
- Protection of IT architecture: laptops, PCs, mobile devices, computer networks and other communication channels
- Authentication methods, password policies, encryption methods, firewalls, data leakage protection systems, patching, encryption, vulnerability scanning, pen testing
- Proposing and enforcing rules for secure working online
- Reviewing alerts and logs, and correcting potentially harmful behaviour
2. Incident management/business continuity
- Receiving and reviewing information about cyber security incidents
- Coordinating the business impact analysis process and the creation of cyber disruption response plans
- Coordinating exercising and testing
- Performing post-incident review of the recovery plans
3. Third parties
- Performing risk assessment for outsourced cyber activities
- Defining security clauses, commitments and guarantees for contractual agreements
- Defining how to communicate cyber security policies and procedures internally
- Preparing communication plans in the event of a cyber security incident
- Ensuring that security CAPAs are performed successfully
- Defining required security features of Internet services and principles for secure development of IT systems
- Auditing policies and controls for non-conformances and opportunities
- Developing the list of interested parties and their requirements related to cyber security
- Facilitating contact with authorities (such as the ICO or industry-specific regulators) and special interest groups
- Ensuring company-wide compliance to cyber security policies and procedures
- Creation, review and update of cyber security documentation: information security policy, classification policy, access control policy, acceptable use of assets, risk assessment and risk treatment methodology, statement of applicability, risk treatment plans
8. Risk management
- Teaching employees how to perform risk assessment and raise risks
- Coordinating the risk assessment process
9. Relationship with top management
- Communicating the benefits and associated risks around cyber security
- Proposing cyber security objectives
- Proposing security improvements and corrective actions with budget and required resources
- Reporting key requirements of interested parties
- Performing background verification checks of job candidates
- Preparing cyber security training and awareness plans
- Raising awareness
- Performing cyber security induction training
- Imposing disciplinary action in the event of a deliberate or negligent breach
Spreading the load
Looking at all these activities together, you can start to devise how they are allocated among the various departments of your business.
The technical components of cyber security, for instance, will obviously fall to your technical director, tech team and/or your IT team.
Third party and contractual considerations will fall to your procurement team.
Your comms team can ensure your internal communications are geared towards cyber security best practice.
Employee checks, training and awareness will fall to your HR manager or departmental line managers.
While the traditional remit of the quality department - risk, documentation, business continuity and compliance - can all be applied to support cyber security.
All this is to say that cyber security management is varied and multi-faceted.
Even if your business does have a dedicated information security officer, considering the steps that are needed and spreading the load to those best suited will help embed good cyber security much more effectively than simply allocating it to one person.
When looking to answer "who does what?" in the cyber security space, you should first consider the what. This will tell you the who.
Download our free ISO 27001 toolkit and access tips, tools and resources for building a world class information security management system.