How do I achieve and maintain ISO 27001 compliance?
By gaining certification or aligning your business to ISO 27001 (Information Security Management), you are demonstrating that you have identified the risks, assessed the implications and implemented controls to limit damage to the organisation. As well as building the confidence of your clients and suppliers, you are also increasing the reliability and security of your systems and information; giving you peace of mind that your business is better protected.
ISO 27001 is a framework of policies, procedures, processes and systems, that includes all legal, physical and technical controls to manage information risks such as cyber-attacks and data breaches. There is growing demand for organisations to implement this framework. Typically, when looking to execute this, many organisations look for additional support when they are:
- In a position where they need to achieve ISO 27001 but haven’t started and don’t have dedicated resource in-house to achieve this
- In a position where they have started to implement the clauses and annexes and often paid for the policy pack but have not had time to complete the requirements to be able to demonstrate alignment to the certification
Often, the need is driven by a client requirement. However, rather than full certification, we are seeing more and more organisations looking to align their business to the certification rather than the full audit. As long as the alignment can be clearly demonstrated, this is enough for customers and suppliers to be assures that your organisation is information security savvy and takes the mitigation of risk seriously.
Implementing ISO 27001
Whichever route you decide on, it is still important that the policies and procedures are implemented correctly. The business also needs to ensure that the clauses and annexes are maintained so that the framework remains relevant to your business and its processes.
For example, if your organisation has bought an ISO 27001 policy pack, have you made sure that your policies are:
- Implemented properly?
- Tailored to your organisation, its processes and people?
- Regularly updated to reflect all change in the business e.g. new people, procedures, software?
This is not a one-off, tick box exercise. It is about making changes, being able to demonstrate proof that your organisation is better protected, current and making sure the new processes are followed and understood by everyone in your organisation.
Typical implementation errors
Whilst each client is different and we will go in and assess the gaps before helping to implement the framework, there are common errors that I would like to share that we find with clients who have part implemented ISO 27001:
Little or no development of risk management process
We often find that organisations have little or no risk management process in place. Risks change and evolve and you need to make sure that your framework reflects this. In addition to this, there is often no risk treatment in place to develop this process and mitigate re-occurring risks.
No training & awareness plan
Regular training and awareness plans should be in place for existing employees as well as new employees so that everyone is aware of the latest policies and procedures and why they are in place. We generally find that the internal adoption of any change is much higher once employees are fully engaged on the why’s and how’s.
Lack of due diligence on supply chain
Due to the use of cloud-based services and data being hosted by another provider, most cyber security frameworks will look to include supplier systems as part of your organisation’s compliance. We recommend, at the earliest stage possible, that you carry out due diligence on your supply chain. Your supplier’s will also be required to demonstrate compliance with the requirements. Do not assume that because your supplier is a large enterprise, that they meet ISO 27001 standards. We have already seen a number of situations where this is not the case. There are ways to present and manage this, but it is worth-while understanding this early on to agree and best manage a way forward so that you still achieve your organisation’s objectives.
Recommendations for maintaining ISO 27001
There are some recommendations we would make when any organisation is looking to get their ISO 27001 framework started or back on track:
- If you are looking to complete your ISO 27001 framework, whether you are managing this in-house or using an external partner, ask someone with a fresh pair of eyes to carry out a gap analysis and report the findings so that you have an accurate and independent starting point.
- Make sure you have the right skillset in house to manage this, or identify the skills missing and engage a part time person who can fill that gap. We often find the person with the ‘best fit’ skills within the organisation is given ownership of this, but I am sure that they would tell you themselves, that they would never actually go out externally to deliver this. Whilst they will manage this well, it is often helpful to have a skilled ISO 27001 individual working on a part time basis so that you have the right skills to efficiently manage the framework, cost effectively.
- As well as a yearly audit to ensure compliance, we recommend that you implement an audit schedule incorporating quarterly mini audits. It’s a big framework and there is a lot to cover, so mini audits make it more manageable. Having a schedule in place means that each department within your organisation is well aware of audit dates to make sure they are well prepared. Use an independent party to do this so that they are impartial to your organisation and carry out a thorough review.
Managing your ISO 27001 framework
Life cycle management is needed for ISO 27001. We recommend that you implement a 3 year audit schedule incorporating quarterly mini audits to ensure that you cover all the clauses and annexes in the ISMS (information Security Management System) in a manageable programme. Three years sounds like a long time, but it will go quickly and with the mini audits you will have continued assurance that you haven’t just ticked a box, but implemented better protection for your business that is evolving alongside your company as it grows.
This article was written by our Security Consultant, Emma Spenwyn. If you would like to speak to Emma about implementing and/or maintaining ISO 27001 in your organisation, please contact her on 020 7877 0060 or email firstname.lastname@example.org.