Delivering ISO27001 — Part 1 of 4 — Getting started
This is the first in a four-part series of blog posts, on my experiences with delivering ISO27001, and how to get the most value from the process. As well as things to watch out for along the way. The goal here is to give you a whistle stop tour of ISO27001, with actions to make your own ISO27001 implementation easier.
Who am I?
I’m Karl 👋, and I’m Head of Operations for Cronofy.
I worked my way up from working on a Service Desk, to Operations Engineer, IT Service Manager, Operations Manager, and then Head of Operations — accumulating various qualifications and experiences along the way. I’ve worked at various types of businesses, from large, commercial retailers, to small startups and marketing led businesses.
Most importantly for this, I’ve led or been a key contributer in multiple implementations of ISO27001, SOC2, GDPR, and PCI DSS compliance programs.
What I’m trying to say is — this isn’t my first rodeo.
ISO27001 — Why?
Businesses and customers love ISO27001. Okay — Salespeople and Vendors love ISO27001. The people who have to do the work to implement the program… ehhh maybe it’s more love/hate. But, there’s a tonne of value in going through the process of trying to attain ISO27001 and attaining the certification. A no way exhaustive list of the benefits is…
- Forcing quality into your processes by adhering to ISO27001
- Insight into where the gaps in your ISMS/business processes are
- Help in increasing the security of the data you collect/store
- Shortening the Sales process when onboarding
- Opening up the door for more security-conscious customers
- Fewer security questionnaires for Ops/Engineering teams/CIO/COOs. 🎉
However, for somebody in my position, the biggest benefit is the actual value that the process brings. The process of benchmarking the current position, identifying where there may be room for improvement, and then making those improvements. This allows me, us, to deliver peace of mind to our customers, so they know that we take the protection of their data, seriously.
Let’s dig into some of the terminologies before we go too much further.
- ISO27001 — Is the specification for creating an Information Security Management System.
- ISMS (Information Security Management System) — The ISMS is the policies and procedures for managing your sensitive data. More on this from the International Standards Organisation (ISO) here.
- Scope — The scope is a definition of the ISMS, concerning its business needs, organisation structure, business locations, information assets, and technologies. The scope is used to define what’s within the boundaries of your ISMS.
- SOA — The SOA or Statement of Applicability summarises the organisation’s position on all of the information security controls outlined within Annex A of the ISO27001 standard. Within the SOA, you should state whether you have implemented the control, or whether the control doesn’t apply, with your justification.
- Control — A control is anything (such as a policy, or process) that modifies risk.
- Policy — A policy sets out the intentions of your organisation, concerning certain activities.
- Process — A set of activities that transform inputs into outputs.
- Risk — A risk is the effect of uncertainty on business objectives. These are typically recorded in a Risk Register.
If anything else crops up along the way or in future blog posts, I’ll explain those then.
So how do I get started?
The ISO27001 process can take a long time and doesn’t come for free. There may be costs involved in bringing your ISMS up to the ISO27001 specification, as well as training for employees. There’s also the cost of being audited and receiving your certification, which can increase further if you require a physical on-site audit.
I’d recommend starting with management buy-in. ISO27001 is not a single team project, but a business objective. Ask yourself why you feel that it’s important to go through the ISO27001 audit.
Whilst it really shouldn’t be difficult for businesses to buy into Information Security, you may need to put together an objective and persuasive case for investment into the process. For example, explain the cost benefits in shortening the sales cycle, having a better security posture than your competitors, and ultimately avoiding major incidents, such as security breaches. There are numerous case studies available to help you with this task. I can recommend this article by the IT Governance blog.
If you’re new to ISO27001 and haven’t implemented it before, you might want to consider purchasing a toolkit as part of your implementation. Essentially, an ISO27001 toolkit contains a checklist, draft copies of policies and additional content to allow you to conduct a GAP analysis against your ISMS, and includes the content to help you fill those gaps.
An alternative to a toolkit is an Information Security Management platform. At Cronofy we utilise Tugboat Logic, which has the template policies but also includes integrations with 3rd Parties, such as AWS and Github, as well as allowing us to run our employee security awareness training. There are alternatives to Tugboat, such as Loopio and AlienVault USM which I’m sure do a fine job, too.
Finally, you could pay for an audit company to come into your business and conduct the gap analysis, however, this can as much as double the cost of the ISO27001 process (dependant on the scope).
Now — you’re ready to get started with ISO27001. In my next post I’ll cover off the ISMS Scope, Application Letter and, Statement of Applicability, as well as including a link to download a free template for those documents.