ISO27001 for small businesses

Author: Gary Hibberd

Date: 18th June 2020

 

With all the headlines in the news about Cyberattacks and data breaches, I think it’s reasonable to assume most business owners recognise the importance of putting good security practices in place.

Depending upon size and sector, these practices will be loosely implemented, with a broad understanding of what ‘good’ looks like, through to the adoption of formal security management frameworks.

But what happens when you’re in that position of having operated quite happily with a loose set of principles and now need to take the next step to formalise the approach? This normally happens when the business grows to a sufficient size that warrants such attention, or when customers and tenders demand evidence of a structured framework.

The first piece of advice I would give is to think of this as a journey, not a destination. It may sound like a cliché, but that’s because it’s true.  And there is no such thing as the ‘perfect journey’, only the journey you take. 

You should consider frameworks like a roadmap, giving you direction and markers to help you know you’re heading in the right direction. But which framework/map is right for you?

 

Not all those who wander are lost.

On first glance, it can seem that there are a bewildering number of directions to go in, and a number of Security related frameworks to focus on. Perhaps I’ll cover the more popular ones at some point in the future. But for now, I’m going to suggest you focus on one, and it’s probably the most well-known and understood.

 

ISO27001:2013/17

This is an international standard for Information Security Management Systems (ISMS), and gives you a framework to help implement an evidence-based security system. When this says ‘system’, it simply means a set of principles or procedures which, when put together ensures Security.

At just 34 pages, it’s not a long read, but it’s not a very exciting one either.

You can either align yourself to this standard, or go for the formal certification, but if you’re just starting out on the journey, or in business then, for now, my advice is to adopt the standard as a framework. You can worry about certification at a later point.

It should be remembered that there is a whole profession and industry that revolves around this (and other) standards, so undertaking a journey to align to the standard is still no small task. But you can do it, and here’s how.

 

6P’s of ISO27001

It may come as a surprise to some, but Information Security isn’t just about IT. In the same way that road safety isn’t just about a well-maintained car, having good IT services isn’t going to make you a responsible ‘high-way’ user!

In broad terms ISO27001 wants you to consider the following five areas;

– People

– Premises

– Policies

– Processes

– PCs

– Providers

All these areas are interwoven, and overlap, but address each of them, and you’ll quickly find that you’ve aligned to ISO 27001 without reading a single page of it!

Before you get started, I think it’s important to write the answers down to each question and document your approach to each. In some places, it’s obvious you’ll need to do this. But by documenting how you approach each topic, you’ll quickly see gaps, but more importantly, it gives you something to refer back to as you grow and continually improve your Security.

In addition, having these things documented will help in bids and tenders that ask about how you ensure security and data protection.

On answering some of these questions below, I would suggest that you’ll know if the answers are adequate because they’ll feel that way. Do you feel comfortable with your answers, or are there gaps in your knowledge?

Let’s start with your most valuable asset of all…

 

People

How do you hire people? Do you do background checks and reference checks? If not, can you explain why? A small family business I worked with stated they didn’t need to because, well, they were family! We wrote a short statement to that fact in their Security Manual and moved on. If they grew (and they did), they were able to revisit this.

How do you train your people on Security? How do you make them aware of their roles and responsibilities? Induction training? On the job training?

What systems do they need access to, and how do you ensure they have the right access at the right time? Does everyone need access to your finance system? Write a list of employees and list the systems they should have access to, and the devices you’ve given them.  When they leave, you’ll know which systems to remove them from, and what equipment you need back.

 

Premises

How do you secure your premises? CCTV? Alarms? Security guards? Reception? Do you have a secure waste collection or shredders on-site? Do you have locked cabinets or storerooms with limited access? Who has keys, access cards, or codes?

Take a walk around your building, from the entrance to Fire-exit and ask; If I was a thief, are their ways for me to get in and take something?

 

SAD Policies

Do you have a Security policy? Acceptable use policy? Data protection policy? For a small business, I would suggest you start with these. There are many more you will need for full ISO 27001, but for now, keep it simple.

Remember that a policy is a statement of fact. It’s your approach to these topics, not how you do something. Google these policies, and you’ll see a lot of examples and even free templates you can use.

 

Processes

Do you have a Subject Access Request (SAR) process? A process for assessing Risk? Do you have a Business Continuity Plan?

When it comes to Risk (intentional capitalisation), you need to create a Risk Register. This is simply a place where you consider all the negative and positive things that might affect your business, and then consider the likelihood and impact of the Risk occurring.  Again, this is a whole profession, but Google the term ‘Risk Register’ and you’ll find a wealth of information available.

 

PC’s

Do you have a list of assets; mobiles, laptops etc.? How are you backing up data? Who is ensuring systems are ‘patched’? What malware protection do you have? Where is data stored (note: ‘The Cloud’ is not an acceptable answer)? Have you had a Vulnerability scan or Penetration test carried out? Do you need one? How is access to systems granted and revoked? How is Data destroyed? 

The good news is that some of this will be covered by your IT provider. Ask them to provide a copy of their “Operating Procedures for Security”.

 

Providers

Who are you sharing data with? Who are your ‘third-parties’ that you speak of in your website’s Privacy Policy? How critical are your suppliers? Have you up to date contracts with Service Level Agreements and Non-Disclosure Agreements in place? When was the last time you asked them about THEIR security capabilities? Are they ISO 27001 certified?

Remember that you are the Data Controller; the legal entity who defines why and how Data is collected. It doesn’t matter if you are a small business or a multinational; It’s your responsibility to ensure you’re acting responsibly with Data, and that includes checking who you’re sharing it with.

 

Conclusion

ISO 27001 Consultants everywhere may be screaming at this blog, that I’ve given away trade-secrets or done the standard a disservice because I haven’t dug deep enough. I truly hope that’s not the case.

The intention behind this blog is to introduce to small businesses the notion that ISO 27001 is a complex standard, but doesn’t need to be complicated. Is there more to ISO 27001? Oh yes! I haven’t spoken about AnnexA controls or ISO 27002, and no doubt I’ll cover these in future blogs.

But the intention of this post was to dispel the myth that security needs to be complicated. Keep it simple. Every journey begins with a single step, and if you’re a small business, then consider this your first step into a bigger and more interesting world.

If I can be of any support on that journey, then let me know.