If I could give some advice for all colleagues who are about to start a data governance project, I would say: Speak up! In my professional career I have seen countless projects fail because leaders didn’t know how to manage communication and expectations. My objective here is to explain how communication practices can save (or kill) information assurance programs.
In my current endeavor, managing Information Assurance at xMatters and its toolchain integration and communications platform, one of the first steps on ISO 27001 implementation was to make sure we comply with the mandatory clauses of the standard. Clauses 4 through 10 are nonnegotiable. Clause 4.2 is fundamental, and there is a reason why “understanding the needs and expectation of interested parties” falls right under the compulsory requirements.
What does ISO 27001:2013 - Clause 4.2 say?
4.2 Understanding the needs and expectations of interested parties
The organization shall determine:
a) interested parties that are relevant to the information security management system; and
b) the requirements of these interested parties relevant to information security.
NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations.
Whenever you initiate a project, getting to know your stakeholders is the primary source of information that dictates its course. Stakeholder Management and Communication Management are core knowledge areas in projects. They help you learn about the context of your project: expectations, constraints, and assumptions. It also helps you engage with the people and organizations that can assist you in mitigating risks and exploiting opportunities.
List and categorize internal stakeholders
Satisfy clause 4.2 in a structured way by creating a management matrix. List and categorize Internal stakeholders by their interests, objectives, and level of engagement. You can use the following diagram as a starting point on what information you can use in your own management matrix.
Internal stakeholders can be grouped by department or hierarchical level depending on your type of organizational structure (projectized, functional, etc). You must re-assess their engagement at planned intervals to monitor the quality of your work. The frequency really depends o how big your project is. You can pre-establish monthly or quarterly reviews, or even create a revision calendar based on the top milestones.
At xMatters, we put a lot of energy into engaging our internal stakeholders and communicating with them. Communication Management is the other core knowledge area that is directly related to clause 4.2. Especially when applied to external stakeholders, it can dictate the success of your data governance project.
Here is a FREE communication plan template you can use as a jump start.
Meet the high expectations of external stakeholders
External requirements can be translated into contractual and regulatory obligations. Clients and prospects usually have very clear expectations in relation to data handling and controls that must be in place. Being able to manage how you communicate with them, how often, in which occasions and through which channels add an extra layer of assurance when governing their information.
Sometimes you may not be sure whether to just monitor their expectations or keep them informed and closely manage their responses to our decisions. Measuring the level of power and interest of each stakeholder helps us making the right decision. Some external stakeholders must me meticulously observed. Regulatory bodies, for example, can completely change the course of your data governance initiative, such as Privacy Authorities, Health Agencies, etc. On the same note, competitors can dictate what are the best practices or how fast to adventure into a new certification process.
As an Information Assurance Manager, balancing internal and external expectations is key. The success of our data governance initiatives is directly related to how we talk about them and with whom. Transparency is an outcome of stakeholder and communication management, a control that satisfies clause 4.2 and, finally, an essential value for any organization.