Author: Gary Hibberd
Date: 19th June 2020
If you’ve ever wondered what it takes to become ISO 27001 certified, then wonder no more. I want to dispel a few myths about the standard and give you a few steps (the clues in the title) that will help you achieve what you want to achieve.
If you were to look online at this topic, you might be forgiven for thinking it takes a strange mix of being Elon Musk through to Merlin – Technology mixed with a little bit of magic!
In truth, ISO 27001 doesn’t have to be complicated. It can be if you want to make it that way. But then can’t everything? Building a shed or fixing an engine is a simple matter of having the right tools, the right approach and a certain degree of knowledge and understanding. And it’s no different for ISO27001.
Complex – Not complicated
Don’t get me wrong; I’m not saying it’s as simple as buying the standard and just going for it! Actually, if that’s your current approach, and you’re confused; I’m not surprised. Standards like ISO 27001 aren’t a fun read, but they are clear in what they expect from you.
For example, the word ‘Shall’ appears 191 times throughout the standard, so when it says you shall identify interested parties, then that’s what you need to do. Of course, this is where most people get lost. “Who are interested parties?”, “How do I identify them?” “What do I need to evidence it?”. All great questions, but easily answered;
– Who? – Stakeholders
– How? – Speak to your team
– What? – Put it in an Excel spreadsheet
So how do you go about implementing ISO 27001 into your business? Follow these steps, and you won’t go far wrong.
Top Management Buy-in
First-and-foremost you need to have top management buy-in to the process. If you’re the business owner and you’re thinking of doing this, then the process needs your support. To achieve buy-in, it’s vital that you understand why you’re going for the standard.
Like most things in life, ISO 27001 isn’t easy and requires some time, effort and investment. If you go down the ‘DIY’ route, then someone is going to need to buy books, go on training courses or invest time on the internet researching how to do it. If you go for external help from people like Cyberfort, then you’re going to be spending money on people who already have the skills, knowledge and expertise in this topic.
It’s an investment. So why are you investing in it? Having ISO 27001 brings a multitude of benefits, including;
– Reduction in risks
– Increased customer confidence
– Increased bid and tender opportunities
– Increase in brand and share value
– Opening up new opportunities into larger or different sectors
– Reduction in likelihood of cyberattacks and data breaches
– Compliance with regulatory and industry requirements
More often-than-not, the reason people go for ISO 27001 is because a customer or tender has stated without it, they will lose business. Your reason could be any mix of the above, but be sure of the ‘why’ before venturing any further.
Set clear objectives
Information Security is a journey, not a destination; You may have heard that before, but it’s true. You should approach it like a project, yes (with tasks and milestones), but the truth is that you are looking to develop a culture which appreciates and understands the importance of Security, and that doesn’t happen overnight.
Although you may say that your objective is to achieve ISO 27001, you will need to think a little deeper than this. What do you want the ISO 27001 standard to do for you? Here are some suggestions;
– Reduce the risk of malware infection on devices (e.g. laptops, mobiles etc.)
– Ensure information is not lost through social engineering
– Ensure all offices have shredders or Confidential Waste bins in place by the end of Q1
– 100% of the team are aware of the importance of Data Protection by the end of Q2
– Ensure devices are up to date with latest patches by the end of Q3
Like all good objectives, they should, where possible, be SMART. How you achieve these things will be determined through the next steps, but as the saying goes; If you don’t know where you’re going, you’ll probably end up someplace else!
You can’t protect what you don’t understand, and most people don’t understand their own data usage. Even small companies, when asked “where is your data stored” will answer “In the cloud!”. Remembering that ‘the Cloud’ simply means ‘someone else’s computer’, this is like answering the question “Where are your children?”, with “Outside”.
If you have already purchased the standard, then you can use that as your Gap Analysis tool. What you are looking for is evidence that you’re meeting the needs of the standard. The keyword here is ‘evidence’. Where the standard says you SHALL do something, you need to ask yourself how you evidence you’re doing this. Do you have documented policies and procedures? Screenshots? Reports? Minutes of meetings?
Once you know where your gaps are you can begin to build your ISMS
Build your Information Security Management System (ISMS)
What ISO 27001 is actually looking for, is evidence that you’ve built and implemented an ISMS; A system to manage information security. That means documents. It means policies, procedures, reports, minutes of meetings, and other records like Risk Registers.
The standard is pretty clear in what it expects you to provide as evidence, but don’t over complicate things! A policy is a statement, a procedure explains how something should be done, and guidelines are optional approaches you can take. So a policy on ‘Acceptable Use’ can be as simple as a paragraph (or two) on what you deem acceptable behaviour in the context of Security.
If your policies stretch beyond 2 or 3 pages, then you’ve strayed into procedures.
Implement the ISMS
Now you’ve built your ISMS, and you’ve had policies and procedures signed off by top management, you are ready to roll-out your ISMS to your colleagues. This is the part most people get wrong; They do a couple of presentations about the importance of ISO 27001 without explaining the context, and what it means to the individual.
What you should do is approach this as a marketing campaign. Get creative. Training people on Security doesn’t mean boring them into submission! Create a team of ‘Cyber champions’ who believe in what you’re trying to do.
Awareness training and communicating good practice takes time. This can’t be achieved overnight, so see it as a long term goal.
As I said previously; This is a journey, not a destination. If you’re going to successfully implement ISO 27001 you need to commit to a journey of continual improvement. This means running awareness training on frequent, and on an ongoing basis. It means reviewing policies and procedures annually. Updating Risk Registers periodically and reviewing incidents and issues on a frequent basis.
ISO 27001 shouldn’t be seen as a ‘tick-box-exercise’, as it will simply become frustrating to everyone involved. See it as a chance to improve your Security, and benefit from all the things I mentioned above. You’ll become a more trusted and respected business, business owner and leader by dedicating time and resources into any ISO standard, but ISO 27001 will (in my opinion) give you the greatest benefit.
As Gandalf said in ‘Lord of the Rings;
” It’s a dangerous business, Frodo, going out your door. You step onto the road, and if you don’t keep your feet, there’s no knowing where you might be swept off to.”
Every journey begins with a single step. Put one foot in front of the other, and who knows where you will end up.
Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >
See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >
In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >