So, what do you do?

We have started an ISO 27001 initiative. After some activities like, defining the quality policy, risk assessment methodology etc. we started identifying Information Assets. 

Finding out the information assets used by everyone sounded very simple, only issue I could foresee was unavailability of people due to work pressure. All everyone has to do is fill a form!

There were two problems of this,

1. People forget things, specially routine work.
2. People need a way to know they are done

A tool is needed.

Ideal tool for this situation is a MindMap. I added some questions to guide the identification process.

What are the tasks you do?/ What are your responsibilities?

What information you need  to do the task?

From where do you get this information?

What information do you create with this task?

Where do you store the information?

Is there anyone helping you with that? if so ask same question form them.

Did you read the spec?

In my utopia everyone does what they are supposed to do...

One who is supposed to buy groceries would buy them on time
One who is supposed to pay bills would pay them on time
Specially one would review the requirement specs before start working on it.

Stakeholders not reviewing specification is a problem with very long history...
Owners, Developers, testers of the product will skim through the document, either because they don't have time or because specs are lengthy, sometime both.

How would you respond this is situation?

So far we have tried,
Walk-through
Better engagement

More on them in next posts...