ISO 27001 is hard work, but it has benefits for us and our customers. Let's explore some of them...Posted on 05 December 2017 -
Here at Tibus, we are ISO 27001 certified. Achieving that certification was probably the hardest thing we have ever done. In fact, it was so hard that we failed twice before we really got to grips with what was needed from us, particularly in terms of time and attention.
When we finally got there, it was worth it. ISO 27001 certification has brought with it a lot of benefits for us and our customers. Here’s what we get out of it and how it has moved our business forward.
It might sound a bit naff, but it is so valuable. Questions about the impact on IT security and data governance are asked by our team as second-nature now. It’s a healthy form of self-interrogation, with impact analysis now a natural part of the conversation for any task we are undertaking.
For example, what impact will it have if we move our hard copy contracts from a cupboard to a storage room? What impact will it have on our information security policy if we change our firewall support provider?
The conversation about impact analysis encourages good planning, good thought process and real rigour in what we do and how we choose to do it. ISO 27001 has given us the framework, the reference points, the words, the way of thinking to do that effectively.
If the sort of rigour we were talking about above ever did crop up in the days before we had ISO 27001, it probably would have come from our IT team. And it would have resulted in them being seen as the ‘no police’ or the ‘work prevention team’.
With policies set in black and white, it takes the pressure off the IT team. Don’t like something? Don’t blame the IT folks; it’s the policies. And general staff all know that the policies - whether or not they like them - are in place for good reason.
So, everyone should have a PIN on their phone, change their passwords regularly, setup databases in a certain way and avoid USB sticks like the plague, not because a jobsworth in IT says so but because it is business policy.
Our IT team are now involved in business service provision, rather than policing.
Everybody has different attitudes to risk and IT security. Rather than let people get on with whatever they feel comfortable with, with ISO 27001 we have consistency and agreed best practice in place for everyone.
The knock-on effect is consistency for all our clients, all internal users and throughout our team.
We’ve got far more consistency than we had.
Some of clients have to or choose to undergo audits of their website operation and management. Auditors are often sent directly to us and we have always been happy to handle this for our clients.
But doing so has become far easier with ISO 27001. Large chunks of these audits - and our own internal audits) are satisfied very quickly by the processes, policies and paperwork we already have in place for data, privacy and information governance.
This is good for us and good for our clients (and probably good for auditors, too): everyone’s resources are freed up.
Similarly to the auditors, we often have internal questions to answer for risk assessments, due diligence, internal audits and other things that crop up. ISO 27001 is a shield against these questions. Most of them are already answered by our policies, so we can get on with our work.
Although not as tangible as the benefits we’ve discussed so far, ISO 27001 also brought with it some emotional improvements for our business. It forced us to kick on, grow up, and effect a step change in our working practices.
A brilliant side-effect of working towards and implement ISO 27001 standards is that it put our business in much better shape to move to the next level.