In 2017, Conosco Information Security Manager Hylton Stewart spearheaded Conosco’s process towards ISO 27001 certification. Notably, we achieved compliance after only 10 months. In this article, Hylton describes the process, benefits and potential pitfalls for companies when it comes to ISO 27001 implementation.
But first, what is ISO27001? The ISO/IEC 27000 family of standards is published by the International Standards Organisation (ISO) and the International Electrotechnical Commission (IEC). It provides one of the most globally recognised and accepted frameworks for the implementation of information security management best practice.
The primary standard within the family is ISO/IEC27001:2013, which is the actual document that sets out the requirements against which an organisation’s Information Security Management System (ISMS) can be audited. This is required in order to attain certification against the ISO/IEC27001:2013 standard. This standard is designed to be industry-generic, applicable to all businesses no matter their size, geographic locations, or operating industry.
The benefits of obtaining ISO 27001 certification against the ISO/IEC27001:2013 standard are numerous. They can be broken down into two categories:
General to all businesses and industries
Businesses with specific requirements
When looking to at ISO 27001 implementation, there are some important considerations you need to be aware of before starting the process.
An ISMS is not an IT or technical system, it is first and foremost a business system. There are certainly many technological elements within an ISMS, and IT involvement will be required, but the implementation and direction of the ISMS must come from senior management. From planning, creation, implementation, operation, and continual improvement, the ISMS must be lead from the top.
It is vitally important to understand that in order for an ISMS to be effective and complement your organisation, it has to be created FOR the business, BY the business. This is not to say that outside assistance should not be sought; in fact, it will almost certainly be required. Rather, this means that the risks and controls identified, as well as the policies, procedures and workflows written for the ISMS must have direct input from stakeholders within the company. If this is not done from the start, the resulting ISMS will likely not fit your organisation’s culture, and will not be accepted and embraced by employees.
For most companies, the process of implementing an ISMS will involve changes across the entire business. This requires an element of change management, and it is important to involve all employees in the development of the ISMS, and not just management and consultants.
Another important consideration when embarking on the journey of implementing an ISMS is the time commitment that will be required. On average, companies will need between 8-12 months to create and implement a basic ISMS, that will meet the requirements of the Standard for certification. However, this is just the beginning of the time commitment – operating and improving the ISMS on a daily basis will, depending on the organisation size and the complexity of the ISMS, require approximately a quarter of an average employee’s time.
For certification audits, it is important to be able to show this commitment from senior management, as well as the time commitment to operating the ISMS.
When it comes to external audits of your ISMS by an accreditation body, there are many important things to consider, such as:
To reap the benefits and avoid the pitfalls of ISO 27001 implementation, your organisation may need external expertise. At Conosco, we specialise in ISO 27001 consultancy. Why not contact the Conosco Security Division today for a free consultation: securitydivision@conosco.com