If you own or work within a growing or well-established organisation, you may have come across a client requirement stating you must be ISO27001 certified or aligned.
In a nutshell, ISO27001 provides a framework known as an Information Security Management System (ISMS), which has two major elements, the clauses and the Annex A controls.
Many organisations don’t know where to start or may have a few policies and technical controls, yet struggle to get good traction on implementing the standard.
Here is a guide to the general principles which may help you in this situation.
Don’t dive straight into implementing security controls
Many organisations get their copy of the standard and start producing policies and procedures, along with technical controls, with a sporadic ‘bingo style’ approach to checking off the controls. This can provide some improvement and you may get there eventually, but the best approach is to spend some time looking into your ISMS scope.
Understand what you are trying to manage and protect
This is not a case of just drawing an imaginary line between the Finance and HR department. It is about understanding your organisation from a business perspective, understanding the key processes, interdependencies and really delving into the way your organisation operates and the strategic direction in which it is heading. This allows you to implement an ISMS that aligns with the business and can be developed further to provide clarity on demarcation of responsibility, particularly if you are a managed service provider.
Gain support of the board or leadership in your organisation
Like it or not, management needs to be engaged in the ISMS. However, this needn’t be an all-consuming ordeal. Understand what you need from your management team, using the standard as a guide along with your own expectations. Gaining ISO27001 certification not only helps you manage information security, but it can also enable you to win business.. Get leadership on board, diarise some key meetings and prepare as much information as possible to engage them. Obtain the action you need but do not overload them with hundreds of spreadsheets.
Undertake risk assessments and understand the impact of risks
Having a solid risk assessment and management process is fundamental in ISO27001. The various methods and software available are only as good as the data you put in and business engagement you have to support remediating any risks. Get good data by ensuring you have the right representatives and technical teams from the business. Having leadership on board is key to getting the support to reduce risk. These actions are formalised by having a risk assessment methodology, set risk owners and a risk treatment plan..
Select controls to mitigate risk
There are 114 controls in Annex A, which range from having an Access Control Policy through to Cryptographic Key Management. Controls should be selected to mitigate identified risks, but you don’t have to only stick to ISO27001. For example, you can also use additional control frameworks such as NIST, CIS Controls or PCI DSS. This enables you to deliver a single framework if you wish to implement and certify against multiple frameworks. Applying controls to mitigate identified risks should also allow you to demonstrate business benefits to senior stakeholders.
Conduct an internal audit
Someone within your organisation or a third party should conduct an internal audit of the things you and/or your team have implemented. This will be against the requirements of ISO27001 to provide an internal review of whether the controls you have implemented are operating effectively. It also provides assurance to senior stakeholders and is a mandatory requirement of ISO27001.
Seek to continually improve and capture those improvements
All too often I see organisations making good improvements to their security posture but not focusing on communicating this out to the wider business. Information security has historically had some negative connotations, such as always applying a “don’t do this or you can’t do that” approach. Capture the good work you are doing, take some time to think how this has helped the organisation and consider providing a monthly communication on the benefits realised. This is a great way to engage the wider company and gain traction.
Consider getting external support
This is not something every organisation is able to do but gaining external support is a really good way of obtaining useful insight into the best methods for implementing the requirements. Ensure the organisation you use has a good balance of ISO27001 and technical experience. Don’t use a tick-box exercise company or someone claiming to be able to do everything in five days. It may seem like good value, but you will not get any real understanding of your risks and any real security improvement.
Don’t be too serious – win the business over, don’t bowl them over
To be really effective in implementing an ISMS you need to be able to get other people to do things for you. Obviously helping protect your organisation from various types of breaches is serious but you can also have fun and enjoy doing it. Being open, light hearted when appropriate and understanding the challenges and limitations of others in your organisation will provide you with a much higher chance of getting them engaged. This is a much better approach than slapping 50 policies on the intranet and forcing everyone to read them or face disciplinary action.
Don’t lose traction after you’re certified
We have implemented many ISMS frameworks and supported clients through the ISO27001 certification process. We still work with many of those organisations to help them manage the ongoing requirements. This ensures they continue to operate the controls effectively and manage their security requirements.
We see one of the biggest problem areas after someone has certified. The whole organisation is elated, they’ve finally achieved their goal and then suddenly, it’s three months down the line and nothing has been done since. The risk meetings got postponed, leadership meetings cancelled, and the IT administrators have been assigned to another project so are unable to run vulnerability scans and patch systems… Don’t fall into this trap, ensure you have the resources to continue beyond certification, or engage a provider to help you deliver on this.
We hope this has helped you on your journey with ISO27001, if you would like to ask any further questions around these issues then please feel free to contact us at email@example.com and we’d be happy to help.