As an organisation we have been hugely aware that information security was at the forefront of everything we do, we are very critical of how we handle data and went to great efforts to ensure that it was done securely and safely. However we just seemed so caught up with developing the next best solution or looking at how we can stay ahead of the market that we thought the process of getting accredited and certified for ISO 27001 Information Security would just take up too much time and be so disruptive to our development process that it just kept getting but on the back burner.
The introduction of GDPR made it further apparent that some accreditation was required to actually prove to our clients that we are very security aware. And clients were even more likely to start dialogue with “what security procedures do you have in place? are you GDPR compliant? And, what certification do you have? “
We decided that it was time to bite the bullet and make it happen and as the PM for this I had the daunting task of getting together the correct documentation, ensuring our procedures and daily business activities followed the ISMS policies(actually the other way round) and liaising with the certification body to conduct audits.
Initially I felt this would be a mammoth task to undertake, the documentation looked to never ending and how do I find the time to create such an amount of paperwork?
It was decided to enlist the help of a consultancy, IT Governance. This was a massive step in the right direction for us and cannot underestimate how much time and confusion it saved. They provided guidance, advice and encouragement but most of all the templated documentation which would become our ISMS. I took the opportunity to get all the members of the company involved in adjusting and formulating the documentation to suit our business need. This created ownership for all involved and kept everyone “up to speed” on the progress and also saved me a hell of a lot of work!! To help me maintain the ISMS and to ensure every employee had access to the ISMS, where ever they were it was decided to host our ISMS in Confluence.
With the help of IT Governance we managed to formulate a comprehensive ISMS in a little over 3 months! We were ready for our stage 1 audit in a very quick time period. This was helped due to, firstly, a couple of us completing a foundation course for ISO 27001, but most importantly the “buy-in” of every member of staff. We all quickly understood that most of our procedures were correct and those that weren’t just needed a fine tweak but our procedures guided what was in the ISMS not the ISMS restricting our procedures.
With any new system it takes time to bed-in and ISMS is no different. We set aside 5 mins in every staff meeting to discuss the ISMS and dedicated a monthly meeting to scrutinise a portion of documentation for validity, accuracy and if it was actually up to date with our processes. This helps us to stay on top of, and be proactive, when it comes to assessing any risks we may encounter and also assign any actions to a work log that needs to be updated.
Having been through the mill and coming out the other side feeling a sense of relief I think the following tips would be useful to anyone undertaking the challenging but rewarding experience.
- Enlist a consultancy- Even though it may seem like an expense at first the time saved is great and the experience and knowledge is invaluable.
- Get everyone to update documentation- I encouraged every member of staff all the way up to the CEO to amend/update some documentation. This generated buy-in and ownership which made the whole process smoother for me and less of a burden.
- Engage early with certification body- Make sure to research the certification body and ensure they are accredited. Some companies will promise certification but are not actually accredited.
- Make the ISMS part of everyday discussion- one of the key factors for a successful ISMS is to continually validate policies and processes to ensure compliance. Once the ISMS is established it should not be just left to stagnate, rather it should live and grow with the business. If this becomes part of everyday discussions it becomes second nature to think Information Security with everything new or changed process, making it a much easier task to demonstrate compliance.
Qpercom’s ISO 27001 Certification was expertly assessed by Derek Mizak and colleagues in Certification Europe, and efficiently managed by our own Software Engineer & Project Manager, Kelvin Nunn. As a team, we look forward to continuing to provide consistency in our approach to information security as a global assessment provider.
If you would like more information you can reach us here.
