ISO 27001 is a widely recognised international Information Security Management Standard. It defines a set of controls for organisations to follow, and against which internal and external (certification or surveillance) audits can be carried out, and the organisation’s compliance with the standard can be assessed.
A standard that can trace its origins back to 1995, where it was referred to as the British Standard 7799, it has continued to evolve over the years to take into account the latest technologies and trends. In 2013 the latest revision of the standard was published, entitled ISO 27001:2013, the update taking into account the current digital climate and what is needed to protect client’s data within it. Among other changes, the structure of the updated standard has been designed to align more closely with other ISO Management Standards.
You may also have seen ISO 27002, which has the same controls as ISO 27001. However, while ISO 27001 is a basis for certification, and contains a single sentence for each control, ISO 27002 cannot be audited and provides best practice recommendations on how to implement each control.
We recently sat down with Hytec’s Senior IG Consultant, Robin Ingram, to discuss the certification for commercial organisations and the common pitfalls he sees, focusing on how you can overcome them. Robin has worked with Hytec for the past 12 years and has helped a number of organisations with the implementation of the ISO 27001 standard.
A Comprehensive System
The ISO 27001 ISMS is a comprehensive management system. Before implementing you need to be absolutely sure that it is right for your organisation as it is a long and very in-depth process to undertake. You have to be absolutely sure that it fits your organisation and will align to your business needs.
A number of companies out there can provide certification to the ISO 27001 standard, but regardless of the company that you choose, we would recommend using a UKAS accredited organisation.
UKAS are the national body for the accreditation of testing and calibration laboratories, certification and inspection bodies.
The standard doesn’t explicitly say what you should do or how it should be implemented. For this reason it is recommended that those looking to implement should attend a course on the subject. This should be considered a priority.
Courses are available to cover various aspects:
1. Requirements of the standard
2. Management briefing
4. Lead implementer
6. Lead auditor
These courses may be conducted in-house or classroom based. You may decide to start with an in-house requirements course or management briefing so you have a team that understands the implications and scale of the project before defining the scope, management group and individual responsibilities.
It is essential that you get the buy-in of the organisation’s senior management before setting out on the implementation journey. With such a comprehensive system everybody needs to be on board and understand why the organisation has chosen to implement. It will be part of everyone’s job to comply with the standard and maintain records. Audits will be based on random samples of records and documents, alongside various members of staff. The auditor will choose the members of the organisation that he or she wants to speak to and it is therefore essential that everybody is on board and understands their responsibilities.
Remember that the clue is in the title. ISO 27001 is an information security management system, not IT security. The standard covers all forms of information, all types of storage, all forms of processing and all methods of transmission.
Why implement the standard
There are many business benefits in having the ISO 27001 certification. More and more organisations (especially those in the Public Sector) are including certification as a requirement for tenders. Without it, you may not even get through the pre-qualification stage.
A well implemented management system, defines structure and standards for organisation governance; records management; process and staff management and also helps the organisation to demonstrate compliance with legislation, regulation and contractual obligations. This applies not just to ISO 27001, but also to other ISO Management standards such as ISO 9001 (Quality Management).
The Executive and Senior Management teams need to be satisfied that they will not get any nasty surprises. An organisation with a strong Information Security Management System, with clear standards; policies; leadership, training and awareness programmes is less likely to have a data breach, and will know how to address it if it does occur. The updated version of the Data Protection Act – the General Data Protection Regulation will require organisations to take a pro-active approach to privacy with data protection by design and default. Money, time and effort spent on building an effective Information Security Management System should bring efficiency benefits and could avoid a costly Information Commissioner’s Office (ICO) fine in the event of a breach.
Why certification, why not compliance?
Many organisations assume they have a good security ethic and claim to comply with standards such as ISO 27001. Some may.
The only way to really demonstrate compliance is a certificate from an external certification body. This is a global standard so choose your certification body wisely; some of the certification bodies cover several countries, which will allow a single certificate across an organisation’s multi-national locations.
See: https://www.ukas.com/search-accredited-organisations/ for more information.
· Lack of leadership and support
The ISMS is an important component of the organisation’s governance. Its most important resource is time. Staff must be given time to implement the system; Management must take the time to manage; monitor; review and approve the system, providing support to those who are implementing it. The right people should be given the responsibility of implementing the system – remember as previously mentioned; this is an INFORMATION management system, so should not just involve the IT team. Developing and managing an ISMS is not an add-on to be done when there is time to fit it in beside the Proper Job– it is a key part of the Proper Job and must be given the appropriate priority.
· Inappropriate scope
It’s a common error to try to go too big or too small with the scope. Think about WHY you are going for the standard. If compliance is needed for a team, group or service, do you need to cover the whole organisation? Decide which departments contribute to the in-scope functions and then define boundaries. If you have attended a Requirements course or Management Briefing you will be better placed to make these decisions.
· Ineffective planning
Having obtained management commitment and support, defined the scope and identified roles and responsibilities, you are ready to start.
The first questions are:
1. Where are we going? – scope and objectives
2. Where are we now? – gap analysis
3. How do we get from here to there? - plan
As I have said before, the standard does not tell you what to do, just what to address. Think about controls as subjects to be addressed. Ensure that the implementation of the standard is appropriate to your organisation, activities and culture. Every organisation is different so think about fitting the standard into your organisation, and not redesigning the organisation to fit the standard.
· Not following through
Once you have prepared and approved your standards, you need to follow them. This is not a one-off activity, designed and left on the shelf. Once established, it should be part of the organisation’s way of life. Retaining the certification needs demonstration of ongoing compliance with the standard with a programme of internal audits; regular management group meetings; reviews; ongoing plans and continual improvement.
To avoid these common pitfalls you need to ensure that the appropriate people are included from the start. Embed the ISO culture into the organisation from day one. Get everybody involved in the decision making process and ensure that people turn up to meetings. Simply ensuring that these aspects are adhered to will go a long way to ensuring a successful implementation.
Working in partnership
Time is an important factor with most things in the 21st century. With security it is an essential consideration as breaches can occur in seconds. In terms of the organisation and getting up and running as quickly as possible, you need to manage people’s time effectively, ensure that meetings discuss what is needed and agree action points. Ensure that people don’t feel overwhelmed by the process and understand what they will be doing and why. This is important and you need to give people the opportunity to ask questions and get clarification if needed.
You need to set clear boundaries and rely on others to address security and training where required. You need to ensure that all departments are on board and are able to manage their part of the process in your absence. For example, you need to be happy that the Human Resources knows which part of the ISO standard applies to them to avoid being penalised during audits. The same will also apply to 3rd party providers.
It is essential that any document templates that you use are from trusted sources. Only use downloaded templates if you trust where they are coming from. The documents must be personal and work with your organisation. This is important because a set of documents from a technology company may not suit the needs of a medical supplies company.
For more information regarding the full range of Information Governance services that Hytec can offer your company and details of our NHS N3 compliance services, please visit our website or contact us to arrange an appointment.