In 2017, Conosco Information Security Manager Hylton Stewart spearheaded Conosco’s process towards ISO 27001:2013 certification. Notably, we achieved compliance after only 10 months. In this article, Hylton describes the process, benefits and potential pitfalls for companies considering implementing the ISO/IEC27001:2013 standard.
What is ISO 27001?
The ISO/IEC 27000 family of standards is published by the International Standards Organisation (ISO) and the International Electrotechnical Commission (IEC). It provides one of the most globally recognised and accepted frameworks for the implementation of information security management best practice.
The primary standard within the family is ISO/IEC27001:2013, which is the actual document that sets out the requirements against which an organisation’s Information Security Management System (ISMS) can be audited. This is required in order to attain certification against the ISO/IEC27001:2013 standard. This standard is designed to be industry-generic, applicable to all businesses no matter their size, geographic locations, or operating industry.
The benefits of obtaining certification against the ISO/IEC27001:2013 standard are numerous. They can be broken down into two categories:
General to all businesses and industries
- Increased data security
- Improved business functioning by assisting to identify and document processes
- Improved staff security awareness through requiring regular awareness training
- Increased ability to comply with the GDPR
- Competitive advantage and business differentiator, as many third parties now prefer partners with ISO/IEC27001:2013 certification
- Enhanced reputation, as ISO/IEC27001:2013 certification is widely recognised
Businesses with specific requirements
- The same advantages as above, plus:
- Meet requirements to do business with third parties, as organisations in some industries require their partners to be certified
- Assist in meeting industry and regulatory requirements – many specific industries have enhanced regulatory requirements, and ISO/IEC27001:2013 certification meets many of these requirements
- Show compliance with third-party audit requirements, thus minimising audits – holding ISO/IEC:27001:2013 certification usually reduces the requirements and/or frequency of third-party audits, thus freeing up business resources
When looking to implement an ISO/IEC:27001:2013 ISMS, there are some important considerations you need to be aware of before starting the process.
An ISMS is not an IT or technical system, it is first and foremost a business system. There are certainly many technological elements within an ISMS, and IT involvement will be required, but the implementation and direction of the ISMS must come from senior management. From planning, creation, implementation, operation, and continual improvement, the ISMS must be lead from the top.
It is vitally important to understand that in order for an ISMS to be effective and complement your organisation, it has to be created FOR the business, BY the business. This is not to say that outside assistance should not be sought; in fact, it will almost certainly be required. Rather, this means that the risks and controls identified, as well as the policies, procedures and workflows written for the ISMS must have direct input from stakeholders within the company. If this is not done from the start, the resulting ISMS will likely not fit your organisation’s culture, and will not be accepted and embraced by employees.
For most companies, the process of implementing an ISMS will involve changes across the entire business. This requires an element of change management, and it is important to involve all employees in the development of the ISMS, and not just management and consultants.
Another important consideration when embarking on the journey of implementing an ISMS is the time commitment that will be required. On average, companies will need between 8-12 months to create and implement a basic ISMS, that will meet the requirements of the Standard for certification. However, this is just the beginning of the time commitment – operating and improving the ISMS on a daily basis will, depending on the organisation size and the complexity of the ISMS, require approximately a quarter of an average employee’s time.
For certification audits, it is important to be able to show this commitment from senior management, as well as the time commitment to operating the ISMS.
When it comes to external audits of your ISMS by an accreditation body, there are many important things to consider, such as:
- You must be able to show evidence of to the auditor(s) for any process or procedure that you document. For example, where your Awareness Policy states that you conduct staff awareness training annually, you need to maintain records of this as well as evidence of its effectiveness. Simply sending staff a quarterly email with a link to a presentation will not be sufficient.
- Know the difference between a certification and surveillance audit: ISO/IEC27001:2013 certification audits run on a three-audit cycle. Initially, you have a certification audit (which consists of a Stage 1 document audit, and a Stage 2 on-site audit), then at roughly the end of year one and year two, you will have a surveillance audit. The initial audit is looking for evidence of implementation of an ISMS, while the surveillance audits are looking for evidence of operation and improvement to the ISMS.
- One of the requirements of ISO/IEC27001:2013 is that your organisation conducts annual internal audits. These can be conducted by consultants, or by internal employees. If internal employees are used, they will need official audit training. Also, if they perform other duties apart from auditing, they will not be able to audit the areas for which they are responsible. For this reason, it is often easier to enlist outside assistance to conduct these audits.
To reap the benefits and avoid the pitfalls of ISO/IEC27001:2013 implementation, your organisation may need external expertise. Contact the Conosco Security Division today for a free consultation: firstname.lastname@example.org