With the proliferation of digital and data services, many companies are looking to standards such as ISO27001 (Information Security Management System) to help them manage their security risks. It however comes with a degree of hesitancy, given its reputation as a significant undertaking. Below are some tips to consider before taking on the endeavour.
Know the end game
The foundation of any undertaking, let alone ISO27001, should be a good understanding of why you are attempting it in the first place. Typically, organisations implement the framework because they are in a highly-regulated industry where tight security measures are mandated by law. Health laws, such as US’s HIPAA, demand covered entities have adequate administrative, physical and technical safeguards. Similarly, financial regulations often prescribe risk management measures to ensure protection of confidentiality, integrity and availability of information. Above and beyond compliance concerns, many organisations dealing with sensitive data also look to such comprehensive frameworks as a strategic tool to help engender trust and reduce customer acquisition friction. Whatever the reason or combination thereof, it is vital they are fleshed out and thoroughly discussed with stakeholders as part of the business case process right at the outset.
Have adequate resources
Being a comprehensive standard, its implementation can be quite taxing on organisational resources. A significant portion of this will be devoted to documentation. As the name suggests, it is an Information Security Management System (ISMS), so it will involve articulating how organisations will integrate people, processes and technology to achieve specific outcomes. It should be remembered that this not only requires someone to write the documentation, but also to review and implement what has been written. After all, organisations will potentially need to demonstrate they have followed their own policies. Depending on the maturity of the organisation, the implementation process itself should also not be underestimated. With the standard’s requirement for a comprehensive risk assessment, significant technical changes may be required to ensure objectives are met. This will likely involve technical staff devoting extra time on top of their existing day to day duties. Finally, and most importantly, an implementation lead will need to be assigned. Ideally, this person will be able to engage across the business with different stakeholders, from IT and senior executives to HR, as well as follow up on the finer details of specific policy implementation.
Look at Total Cost of Ownership
Organisations should look to assess costs in two separate stages. The first are known costs at the outset, which involves the cost of the certification process itself and any internal resources required to maintain compliance. The second portion can only be determined after an organisational risk assessment has been undertaken. This may uncover some security gaps that need to be addressed by integrating an external platform or a developed mechanism. This extra component will need to be paid for and/or maintained on an ongoing basis. Its cost should be anticipated from the outset.
Prepare for a marathon not a sprint
While the typical implementation process is 12 months, timeframes can stretch out depending on factors such as culture and resource availability. The methodical and linear approach of the standard in many instances, will seem quite at odds with modern agile methodologies. Organisations should thus expect a degree of resistance from some quarters, especially if the business is largely focused on rapid innovation. A lack of resources will also hamper the momentum of the implementation. This should be factored in if there are many legacy systems that need to be integrated or managed.
Focus on Change Management
ISO27001 implementation is in many ways a change program. It requires an organisation to change what and how it manages its information security practices. Typically encompassing the entire organisation, its impact at the day to day level should not be underestimated. This can range from how staff classify documents, to what devices they may use. To bring people along, stakeholder management, engagement and communication is vital. Time spent soliciting feedback on policies affecting all staff may for example, be important to determining whether they are followed or worked around in the long run. Remember, once you are certified you will still need to maintain it.
A final word
The external audit can be a daunting exercise and preparation is key to ensuring it runs smoothly. The following are areas organisations should focus on to pass with flying colours.
- Documentation – as discussed above, this is a significant and important aspect of the standard. Given that it will form a major portion of the certification process, it is vital to get it right.
- Internal Auditing – mandated by the standard, it is not only necessary but a good litmus test for determining whether an organisation is ready to get certified.
- Training – this is often an overlooked aspect of the implementation, but staff competency and awareness of their obligations are elements that will be checked as part of the certification process