We have a requirement at work to implement ISO 27001 Information Security Management Systems. A brief preamble – ISO actually stands for the International Organisation for Standards, and a standard is an agreed body of work that an organisation employs to demonstrate they do things a certain way, every time and the world says that’s a good thing (theoretically). We already have ISO 9001 Quality Management Systems and other industry related accreditation. When a company is successfully tested or audited against a standard, they are awarded certification. You might have seen companies with the three ticks of quality – a small red and white rectangle in the bottom left of a company brochure. This means they have successfully gained three different certifications.
For us, Information Security Management Systems is part of our government work – we need to demonstrate we are maintaining a high level of security of the information we hold for our clients and staff. Sounds like a handy thing to have, and indeed, if implemented operationally it will be. While we were looking mid last year for a framework for our IT activities, I had been leaning towards the ITIL branch of actions, rather than a standard. I’m glad I didn’t waste too much time on that. I wanted to write a few observations about this process, and reflect on how it has been during a time when isolation from others has been the rule not the exception. With regards to that, spending long amounts of time alone with an international standard is both very helpful and for me, extremely detrimental to my mental health – it’s been easy to wander down a policy or path and then realise we have no risk that this controls for, and a day of work has been lost. Not the most positive of outcomes. So here are my observations so far.
Do your research. I can’t emphasise this enough – read about the standard, read how to implement it. There doesn’t seem to be all that many war stories of people going through this process – partial motivation for this post actually, but there are great sites out there with lots of detail to be accessed. I started by looking around on the internet (as one does) and found the ISO27001 Security toolkit here https://www.iso27001security.com/html/toolkit.html – this has been an invaluable resource. But equally valuable was to purchase the ISO27001 standard and the ISO27002 Implementation Guidance. Read these, love them and cherish them – they are very helpful. Use the toolkit’s information and guidance.
On YouTube I found amongst many videos some absolute gold. One was a short clip with a 10 point plan. I won’t go into that – to each their own, however there was a point or two that I feel need to be underscored. Implementing this standard comes from understanding your organisation’s risk. Identify the risk, treat it and then link back to the controls in Annex A. No risk? Then potentially no need for a control. No policy? Don’t write one just to satisfy the control – figure out if you really need it or not. Do we need a media disposal policy using a degaussing device? No! Our risk profile doesn’t support that at all. These two points – start with risk first, and don’t write policies to fulfill the standard – will save you a lot of time. There are certain required components to the standard – you have to address these so make sure you do.
A final point on this. My organisation requires this certification for our contract work, and we could just do the bare minimum to fulfil that and then go on with our lives. Alternatively, we could (and have) decided to use this to build a better organisation. Aspects of the controls we have not addressed based on our risk assessment are being carefully considered as potential risks we aren’t aware of, or haven’t had to think about. Making this standard operational in the sense that our policies, work instructions, and monthly/quarterly/yearly activities are all linked neatly together will bring real value to the business from this standard. Make that choice early in your quest. Go light or go heavy – it’s up to you and your business. Good luck if you are undertaking certification of any type – it’s a huge amount of work.