Security Directors Should Lead By Example And Implement ISO 31000:2018 Within Their Own Department

ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies. ISO’s 31000:2018 Risk management — Guidelines is considered the gold-standard (pardon the pun) because the principles and guidelines can be applied to any organization, regardless of industry or size, or context.  Enterprise risks come in many forms including finance, legal, regulatory, supply-chain, operations and reputation.  As self-described risk management professionals why aren’t more Security Directors championing the application of the ISO 31000:2018 within their own department?  Here are 3 great reasons why they should.

  1. It Is Easier Than You Think – The principles and guidance found in the ISO 31000:2018 framework are logical and strait-forward.  Chances are your department is already employing many of them and any that you are not are certainly worth considering.  Most gaps, or so-called non-conformities, have to do with being consistent and documentation of key processes.  Using a security risk management application goes a long way to addressing these common pitfalls.
  2. Global Recognition – The tech-industry adage,  “No CIO has ever been fired for awarding a contract to IBM.”  That’s probably not true, but the point is; Brand matters and there are benefits to aligning with a credible name brand.  Aligning your security risk management approach and system with a universally accepted “brand” like ISO helps win-over key internal stakeholders and lends credibility to the work your team is doing.  
  3. Get the Benefits – The benefits of a robust, effective and resilient security risk management department are many.  First and foremost, the department is more likely to achieve the primary objective of protecting the company’s staff and assets.  When security policy and priorities are well defined decisions on where and how to allocate resources come into focus.  Finally, departments that are process-oriented are inherently less reliant on a few key individuals to keep things moving along.   In other words, they are less impacted by changes in personnel.

So, if you are a Security Director and a leader within your company consider asking yourself, “Why isn’t my department showing company-wide leadership by adopting the framework and guidelines found in ISO 31000:2018?”  The answer might be quite revealing.