ISO 27001 demonstrates that your organisation takes information security seriously. What is more, achieving certification in this globally recognised standard enhances your reputation and delivers significant business opportunities. That is because the standard is written to assist businesses in protecting their information which, essentially, lowers the risk for other people of doing business with you.
Undertaking ISO 27001 compliance can be a rather intimidating prospect. It is, however, completely achievable. To aid in the process, here are three key areas to be aware of:
1. Risk Assessment
Understanding and evaluating the risks to your company’s data, is the first step – and an important one. The ISO 27001 standard requires risk assessments to be conducted based on risk to the data held. This demonstrates that you have assessed the risks, calculated the impact of mitigating actions on those risks. They will also require other forms of risk management to be in place to address company and architecture security risks on an ongoing basis.
Risk assessments do not have to be complicated or time consuming. Simply assessing the risk to the confidentiality, integrity and availability of information, by scoring the impact and multiplying by the likelihood, you can determine an overall risk score or rating. Then by identifying mitigating actions to reduce the likelihood or impact, or both, you can re-score the risk and the risk rating will lower.
2. Project Management
ISO 27001 also requires the design and implementation of a comprehensive suite of information security controls. It may be easy to believe that because ISO 27001 relates to cyber security that only the IT department needs to be involved. However, gaining certification will involve input from a variety of departments. In some cases, these departments will be in different locations. It is therefore advisable to have a dedicated project manager who can oversee the entire process.
Developing and co-ordinating a project plan centrally will keep all departments involved on track and help them to understand what is needed from them. Failure to do this may result in slow progress from one specific area, and the impact of this could mean a delay in the entire project.
For the whole certification process to be conducted in the most cost-effective way it should be correctly scoped at the outset. This requires a specific set of skills and relevant expertise so the appointed project manager may benefit from expert professional assistance from an ISO 27001 consultant. This is comparable to the finance director receiving guidance from the company accountant or the legal team being supported by a corporate lawyer.
3. Communication within the company
To further improve the process, it is important that everyone involved understands the reasoning behind and the requirements for seeking ISO 27001 accreditation. Good communication and a well thought out project plan will engage the relevant managers, stakeholders and key personnel and encourage them to respond within the required timeframes.
It may be that the changes needed will cause upheaval to the processes and procedures used by a department for years. Those impacted by this change may well be reluctant, which is why communicating the reasoning behind any change is crucial.
In addition, to gain ISO 27001 certification, a business needs to conduct a gap analysis, identifying where it may be missing specific policies or procedures. It can, however, be a challenge to do this without external support because those who work closely with a system are often overly familiar with it and therefore less likely to spot the omissions. Communication underpins the process, ensuring that all stakeholders are engaged with and committed to the process and prepared to allocate an appropriate budget for the exercise.
Finally, if you wonder whether ISO 27001 certification is a necessary undertaking, ask yourself this. Who would you rather do business with: an organisation that is demonstrably committed to data security or one that isn’t?