Introduction
Introducing any standard to any organisation is always a challenging task. Introducing an Information Security standard to a start-up can be even more tricky. Small size companies, especially start-ups are often at the stage where procedures not robust, well established and embedded into the company’s culture, or in some extreme cases, there simply aren’t any procedure. The obvious question is how one can introduce a world-wide recognised standard in a place like this? Learning from my recent experience, I will try to give accounts of how we did it.
Get The Basics Right…
Get your company into reasonable shape before you even start working on ISO 27001. Antivirus and firewall is a must, it’s recommended to spend a fair amount of time at your current infrastructure to identify any potential shortfalls and areas where best practice is not followed. Access permissions, physical security, H&S – all will be reviewed, so you might as well resolve any potential issues at this early stage. Some will require time to implement, that’s why I suggest to start here.
Study and Understand Requirements…
Read the standard, then read it again and take notes for each point, where you believe your organisation is showing weaknesses. The good news is that the SoA (Statement of Applicability) is a public document, therefore can be requested from any organisation that is ISO 27001 certified. Think of someone who is operating in the same industry and use the documentation provided as a template or at least as a guide. This should give you a sound understanding of what’s involved.
Get Management Involved…
It all starts at the top. Management’s full support and involvement is absolutely essential for you to succeed. They do not have to be involved in every activity, but a clear consistent message sent to all stakeholders within the business will help to enforce the feeling that what you try to achieve is important, not only to you, but to the business as a whole. It might be beneficial to invite at least one board member to join the ISMS committee.
Talk To People…
All staff members will have to get involved. As a bare minimum they should all know how the standard affects them and what will be required. Companywide training is unavoidable, but there is more that needs to be done. This is a good moment to mention objectives. One of our initial objectives when introducing ISO 27001 was to embed Information Security Standard into our company’s culture. The more you talk about it, explaining how this is going to change their day to day life, the more chance you should get it right. There are probably areas of the business that you aren’t even aware of and only by talking to other departments these can be spotted.
Get Help…
It is always good to involve professionals familiar with the Standard. You will have lots of questions and there are likely to be moments you’ll be scratching your head wondering ‘what do they mean by that?’ Standard dictates that you are reviewed independently anyway, so it is worth building this relationship sooner rather than later. The budget might be tight, but it is money well spent.
Secure Funding…
Unless you are extremely lucky and your company has all tech and infrastructure already in place, you will have to make some investments. Many controls are built around IT, therefore; this is probably where most of the budget will vanish. It might be that a new antivirus is required, perhaps some access control system must be introduced. One way or another money is essentially needed.
Don’t Underestimate Tasks Ahead of You…
Tasks ahead of you are complex, almost always requiring additional work and involvement from other departments. There are 114 control measures [in ISO 27001:2013], meaning that you are potentially looking at 116 micro projects for yourself to manage. I suggest you use a Project Management Tool of your preferred choice. I’m personally using ‘Asana’ which is available online and a cut down version can be used for free. Documentation is another important aspect that cannot be overlooked and yes, it will take a horrendous amount of time to complete it.
Form A Team…
Managing a project of such a size on your own can be and probably will be a burden for a while, especially if you try to run it on top of your day to day job. I was lucky as my team consisted of two members – myself and one other person. We have split responsibilities based on our own area of expertise. I have taken care of everything related to IT and relevant documentation while my colleague took on her documentation of all procedures and business processes. Roughly, the split is 50:50. Regular catch ups, probably once a week are recommended to see where you struggle and how you can help each other.
Documentation…
I’ve mentioned this already earlier, but let me stress again, documentation is your first line of defense. Audit can be described as a two-stage process. Stage one; where Auditors ask how do you do this or that? This is where your documentation comes into play. Stage two; is all about proving that what you have written takes place, so evidence will be required. Essentiality it boils down to two questions: tell me and show me. It’s not just you who will have to come up with processes and documents. Others will have to do the same. Perhaps it might be worth engaging your marketing team to help put a positive spin on activities ahead. After all, we have significantly improved the way business operates, introduced clear rules as opposed to a ‘wild west’ approach and in a few cases reduced the red tape.
Continuously Improve…
ISO 27001 is not one of the standards that once achieved, can be considered as done and dusted. This standard is very much about showing commitment to continuous improvements – in any shape or form. Businesses evolve, so does the world around them. What is good enough today, might not be sufficient tomorrow. Keep an eye on current trends, threats and risks. This could be the latest trends in ransomware, phishing attacks or new directive from the EU – all equally important. Regularly review your processes, events and incidents. Be sure to perform root-cause analysis of problems spotted and look for any emerging trends.
Final Words…
Was it worth it? Yes. Implementing the ISO 27001 paid off in many ways. Our sales department loves it, because it allows them to engage with large enterprises for whom Information Security is an essential prerequisite to do the business. Our management likes the idea of being certified as it adds a certain prestige to the business itself. My colleagues… honestly, it is a mixture of love and hate towards it at the same time. Hate – because the implementation can be sometimes tricky and demanding with extra work to be done. Love – because despite some inconvenient requirements, it generally helps to build a better work environment with tangible benefits. I? I love it, because I can continuously focus on introducing best practice for the business and now have the backing of top management to do so!
Ernest Krukowski – IT Systems Administrator (An ISO 27001 client of Assent’s)
Please note ISO 27001:2013 has since been revised to ISO 27001:2022.
