Are you working towards ISO 27001 certification? Here are pointers on how to achieve ISO 27001 success based on our experience.Posted on 21 November 2017 -
Tibus managing director Andrew Maybin recently gave a talk to Certification Europe’s ISO 27001 Nationwide Roadshow in which he talked about the process of achieving ISO 27001.
Andrew described reaching ISO 27001 standards as being the “hardest thing we have ever done”. For a company that undertakes as much complex, technical work as we do, that’s saying something.
Fortunately, Andrew was also able to give some pointers on how to achieve ISO 27001 success. His advice was based on our experience of achieving ISO 27001 and the missteps we took along the way. Here is an overview of the main pointers he offered to the Certification Europe audience.
Don’t be tempted to dive in to implementing ISO 27001 standards. Start by having a very clear idea of why you are working towards certification: what will the benefits be for your business?
Get together a team of your most trusted people and literally draw up a list of all the benefits you hope to achieve from ISO 27001 certification. Leave it for a week and then revisit the piece of paper. Does the list still reflect your thoughts? Is it realistic? Is ISO 27001 right for your organisation.
If you have decided you’re going to proceed with an attempt at ISO 27001 certification, now is the time to get really clued up as to what that entails and what it will mean for your and your colleagues.
Andrew revealed that he got stuck into a copy of IT Governance by Watkins and Calder because he felt he needed some context. He wanted to get a better idea of the whole picture so he could fully engage in conversation on the process, or at least listen knowledgeably to what experts had to tell him.
We failed twice in our quest for ISO 27001 certification because we woefully underestimated the time and effort needed from us.
The magic number turned out to be 85 days: that was our total investment in management time, technical time and finance time to support a successful journey towards ISO 27001.
We ‘spent’ 7 man-days for every member of our team in total. Perhaps by avoiding some of our mistakes, you can bring that down to 4 man-days per employee. Regardless, you will need to think about the costs and get ready to find the funds to support it. There really isn’t a shortcut or a cheap route.
If the thought of having the equivalent of all of your team diverted from their core duties for nearly a full week has got you sweating, you might consider getting some external help.
We don’t usually bring in consultants, but we did on this occasion. We allowed for 60 days of consultancy, which was probably too much. In retrospect, 40 days would have sufficed, so allow for 3 days of consultancy per employee.
You will need a dedicated team to oversee and implement ISO 27001.
It is important that this team is balanced and diverse. Don’t hand the project to IT (we did and it just ended up stuck in a queue of other projects) and don’t leave it all to HR, who will lack some of the technical knowledge needed.
Instead you will want people from a variety of disciplines. Include both senior and junior members of staff (we didn’t do this, but should have). If we were doing it all over again, we would also have a voice from procurement and an operator of each of our main systems, including financial systems and our CRM. The opinions of people who are hands-on with the systems day-to-day will provide something that management alone will not.
On that topic, be careful about your own involvement. This process needs close attention to detail, but it also needs the big picture view. Andrew recommends empowering your assembled team to challenge you on all aspects of the ISO 27001 process, then moving out of their way and letting them get on with the considerable task at hand.
The next stage is to set out the scope for your ISO 27001 application. We wrestled with this for two years because we always thought narrow was best.
We were wrong.
Go broad. Make it as wide as possible and cover everything that your business does so that it is truly meaningful for your organisation. Once you’ve done that, it becomes a straightforward (albeit still complex) question of execution rather than one of dabbling in strategy and trying to work out what you can get away with.
Trying to narrow your parameters is very limiting. You will get found out and all of the hard work will be undone.
Set the scope early and communicate it widely.
Having set the scope, bring your entire staff - not just your ISO 27001 team - into the loop. Don’t spring this process on them at the last minute.
Don’t strong-arm your team into doing the work needed. They will just silently resist or work around you.
We managed to get emotional buy-in pretty quickly by convincing our team that we simply wanted to look after our hard-earned wins to date; to protect the work they had already invested and would invest in the future.
Aside from that, try to make data protection a regular part of conversations around the office, even when you’re not talking specifically about ISO 27001 stuff.
It worked for us and might for you, too. Hopefully you’ll be surprised by how much support you get.
ISO 27001 does not allow time for resting on your laurels. Twice yearly reaudits will keep you on your toes.
Keep your systems up-to-date in order to pass these surveillance audits. Invest the time to ensure your effort in achieving ISO 27001 doesn’t go to waste.
Aside from the audits, watch out for becoming over-confident. It’s easy to rely on ISO 27001 as a default answer for everything, so be aware of changes in the environment in which you’re operating. ISO 27001 is no substitute for good management, good risk assessment and generally caring about how you handle data.