Drafting an ISSP: Employees Highlight Management’s Lack of Involvement

04.17.24

MIN

Drafting an ISSP: Employees Highlight Management’s Lack of Involvement

Writing an Information Systems Security Policy (ISSP) is a complex exercise that relies on a balance between the strategic vision of management and the missions of the CISOs. When this balance is compromised, the ISSP risks being poorly written. This can make it poorly applied, poorly applicable, or inapplicable. The involvement of management is therefore essential to its good drafting.

A strategic management document, the ISSP is not just a technical document. It must reflect the positions of high management in terms of cybersecurity. The ISO-27001 and ISO-27002 standards clearly indicate that the ISSP must be established, defined, and approved by the highest level of management of the entity. Management must therefore be proactive in designing their ISSP. This is not a delegation exercise, but a real political responsibility to take. Example: in health matters, instruction SG/DSSIS/2016/309 had indeed been addressed in 2016 to the directors of the Regional Health Agencies (ARS) by the Ministry of Social Affairs and Health and not to the CISOs of the ARS.

A lack of involvement often criticized

In practice, when we ask employees and SSI managers about the drafting of the ISSP, it is often a bad memory for them. Either management was totally disinterested in the subject, or the writing became a political tug-of-war between management and the SSI. “The problem with the ISSP is that management is unfamiliar with the thinking around the ISSP. Our management, for example, asked us to write it within two weeks, while we are sorely lacking in human resources, without getting involved, nor giving us coherent strategic and political choices with our structure,” confide two employees working within an SSI of a French public university.

This lack of involvement and ignorance of the thinking around the design of the ISSP – whether in private or public institutions – leaves the CISOs and SSI employees isolated in the drafting process. “There is a real collaborative work to be put in place because we cannot validly delegate strategic management decisions to SSI. Management must be aware of the stakes of their collaboration in the reflection and in the drafting because they have a global vision on the entity that a single CISO generally does not have and the duty to protect it,” continue the two employees.

Consequences of this lack of involvement

Not getting involved in the drafting of the ISSP does not allow – in any case – to escape its responsibilities. Whether the drafting of the ISSP is linked to a legal obligation (such as health establishments) or a voluntary obligation (soft law, for example, an ISO certification), management can expose itself to management faults if a prejudice and a link are found due to its non-involvement where it is required to do so.

Thus, not getting involved or refusing to write an ISSP increases the risk of seeing the responsibility of management engaged. Management therefore has every interest in getting involved to limit its liability within the framework of its missions. It should also be noted that the fact, for management, not to participate in the drafting of the ISSP alongside the SSI and other useful departments means that in practice, management sends a bad managerial message.

While the stakes of digital security are essential, not getting involved in the drafting of the ISSP amounts to considering the issue of cybersecurity as marginal for the majority of employees. This disinterest harms its collaborative writing and the involvement of employees for its good application.