Last week we became ISO 27001 certified, WOOHOO!
Trust us, we feel your pain! Getting ISO 27001 certified certainly isn’t as simple as ringing the awarding body and asking them to email you a certificate – there’s real work involved!
Nine months of hard work, policy writing and implementing new systems finally paid off and we couldn’t be happier. Today we want to put our experience to good use and share our recipe for success with you.
1) Management Buy In
If you forget this step, your ISO 27001 project will fail. Generally we find that with larger corporations, low level management start out with the best of intentions, but when they ask top management for help, it isn’t seen as a priority. Here’s the key to success, get the attention of senior management. This step wasn’t exactly difficult for us, we’re an SME and our CEO did the vast majority of the leg work, but in a larger organisation, here is how to do it… By presenting clear business benefits like: increased market share, higher profits, lower compliance risk and no fines from the ICO!
2) It’s a marathon, not a sprint!
Implementing ISO 27001 means that you need to reassess every security policy and procedure in your company. You can’t give this gargantuan task to one person and expect them to complete it alone; you also can’t give it to a rookie or to someone who has no experience in running a project and expect such a person to coordinate everything that is necessary throughout your company.
If you can view the whole process as a fun run, you’re on to a winner. The end result has been worth the hard work ten times over. We have brand new policies and procedures which have helped us update the content of our elearning modules and, the accreditation has made us even more reputable in our industry.
3) Budget, budget, budget
In most cases you’ll have these costs: literature, external assistance e.g. consultancy, technology, certification, but usually we find that the biggest cost of all is your own employees. Most of the technologies required you will already have in place, but your employees will have to do some serious organising in order to start using this technology in a more secure manner.
Remember, if you look at the project as simply a tick box exercise you won’t get the end benefits. We have enforced a security campaign where all employees must complete one Cyber Security topic each month. This ensures that all staff are displaying secure behaviours for the long run, not just the audit!
4) Don’t get clever, stick to the steps
Like we said, it’s going to be hard work. The temptation to cut corners and miss steps will be huge, but resist the urge! Risk assessment is often the main stepping stone which security experts skip. The ISO 27001 standard is written in a linear fashion, and this is done with a very good reason: if you don’t know what potential threats there are, how can you prepare your safeguarding techniques, to mitigate those risks? Hense why risk assessment is so critical.
Our pain point was 100% Business Continuity. We have now brought in cloud storage to combat this problem, using Google Drive and Egress Secure Workspace means that our staff can work from anywhere, at any time. That’s just one of the amazing benefits completing ISO 27001 has brought to our organisation.
Choose an experienced project manager who will make ISO 27001 their responsibility even after the audit. Security procedures need to be at the forefront of everyone’s minds, so ensure that they are weaved into team meetings and day to day activities because maintaining compliance is as important as initial certification!
Need more information? Just get in touch. We’d love to hear from you.