Information security is a continuous and dynamic process that requires constant attention and improvement. Companies face various threats and challenges that may compromise their critical business processes: cyberattacks, natural disasters, human errors, malicious insiders. These threats and challenges can have serious consequences for the organisation's reputation, performance, compliance and sustainability. The previously mentioned regulatory changes as well as competitive pressure provide another set of expectations: how do you build trust among your clients and partners or how do you ensure that you can operate according to the security expectations of the market or gain business advantage over your competitors. Globally, several markets and countries have specific expectations for security: demonstrating this can be done by certifying your ISMS according to the ISO/IEC 27001 standard.
In the past few years, we have seen a tremendous growth in companies implementing and certifying their information security management systems. ISO/IEC 27001 is a widely recognised and well-known standard to follow when planning your information security management system. It provides a comprehensive and flexible framework for establishing, implementing, maintaining and improving an ISMS that is tailored to the company's context, needs and objectives. The certification provides credible and globally recognised evidence of the organisation's information security capabilities and maturity.
ISO/IEC 27001 fits all companies regardless of the size or sector. It is also aligned with other ISO standards that many companies may already utilise (e.g. ISO 9001 for quality management) and standards that may want to be used in the future for additional topics (e.g. ISO 22301 for business continuity, ISO/IEC 27701 for data privacy, ISO/IEC 27017. Other global standards and frameworks (e.g. NIST CSF, CIS) can be utilised in alignment with ISO/IEC 27001 to support the implementation, evaluation and reporting.
Of course, ISO/IEC 27001 -certified ISMS does not automatically make you more secure. But it does provide you a structure to continuously observe, improve and evaluate your level of security. The framework also provides a set of tools, methodologies and best practices for you to utilise in your daily security work. Creating a business advantage of the ISMS requires additional effort: With continuous communications about the security work, you can raise the awareness of your personnel. By gaining better visibility to the risks and controls throughout the systematic risk management process, you may focus your security investments more effectively. Biggest advantage is the business benefits, from being able to demonstrate a systematic, certified approach to security to your clients and business partners.
Some companies take the approach of not certifying, but loosely aligning with the ISO/IEC 27001 standard. This often leads to a state where things are “almost implemented”. You might have the mandatory documentation or some processes in place, but the security controls are not systematically implemented nor based on actual risk posture. There might even be a mismatch between the actual risks and security controls, if this has not been considered systematically. Since only the implemented security controls have an effect on the actual security status, we encourage all companies aligning with the standard, going the extra mile to fully implement the controls and measure this by going through the certification process.
What to consider when starting your ISO/IEC 27001 certification journey?
We have had the pleasure of supporting a number of companies on their ISMS journey. Based on our experience, we have noticed some common factors that contribute to the effective ISO/IEC 27001 implementations. When starting your journey, consider these as a good starting point for the road ahead:
- Reasonable scoping is the key question for an ISO/IEC 27001 -program. The chosen scope should promote business benefits in the form of increased trust and market visibility, therefore putting a focus on client services or products is often an obvious choice. However, in smaller companies, where e.g. the IT infrastructure is shared, it is often reasonable to aim for a full-scope certification of the company. It is all about the effort and the reward: consider a scope wide enough to gain business benefits, but narrow enough to be doable within your desired schedule and resourcing. Use some time for this internal discussion about the scope and ask for a sparring partner from someone with the experience.
- Understanding the objectives is a crucial part of planning. It is important to ask where we want to be when it comes to security? Are we aiming to be the top of the class among peers? Is our main goal to “just” get certified? This sets out the frame for the whole project and might affect the scoping discussions as well.
- Building the commitment to the cause takes a significant amount of communications and awareness. Make sure to include your key stakeholders in discussions on “why should we do this”, “what’s in it for our business” and “what is the added value brought to our company”. Provide a realistic view on the efforts and the work required during the project as well as after the certification. Once you have the key stakeholders behind you, you have a common understanding to rely on in project highs and lows.
What are the common pitfalls in the ISMS journey?
Some companies may find ISO/IEC 27001 certification more intimidating than it really is. There are some common challenges that companies face and that may discourage them from seeking the certification. Companies often have difficulty with setting up appropriate and relevant documentation, dealing with the complexity and moving forward to implementing a certification ready ISMS.
Inadequate documentation
One common pitfall for organisations is the lack of documentation. Most IT professionals have experienced this gap to some extent. This might be a remnant of old business or IT practices, where documentation is not given a lot of significance. It also might be that the ways of working have changed towards an agile, more constantly changing mode with little or no long-term standards guiding the work. ISMS should be aligned with your ways of working, agile or not, but ISMS documentation is still considered to be the backbone of your management system.
Documentation is not just about creating policies, procedures, and records; it is about ensuring that the organisation has defined processes and is able to manage information security throughout the organisation. Documentation helps to establish a common understanding of the ISMS among stakeholders, communicate roles and responsibilities, demonstrate compliance with requirements, and provide evidence of the effectiveness and performance of the ISMS. Documentation should not be seen as a burden or a bureaucratic exercise, but as a valuable tool for achieving and sustaining information security. If you have no documentation to form the backbone of your ISMS, you are in an ad-hoc mode, operating based on case by case consideration and relying on individual experts to be your company’s collective memory.
However, documentation should always have a purpose and a clear use case. Having solid documentation practices with supporting tools can drive a positive change in the ways of working across the organisation: documentation could be seen as a way to manage security, demonstrate progress and achievements as well as ensuring continuous improvement. Nowadays, there are also several modern tools to help you document your processes, workflows and evidence of control activities - pick the ones that suit your company the best.
Complicated management caused by many moving parts
The ISMS should not be perceived as a difficult or complex project, but as a feasible and rewarding one. Within the ISO/IEC 27001 implementation you need things to happen on many levels: strategic level (e.g. development of policies and decision-making practices), tactical level (e.g. coordination with enterprise risk management practices) and operative level (e.g. guidelines on how controls are implemented throughout the chosen scope). Additionally, there are several functions included in the scope, e.g. HR, premises management and business stakeholders, outside the traditional IT focus. To summarise, this is not an IT effort, but a shared one across the company. As with any development initiative, effective project management and enthusiastic personnel can go a long way, and we have seen multiple success stories where the people are the key to making it happen.
Complexity can be managed by recognising that the standard does provide a clear and structured framework to follow, but also allows the company to choose the most suitable and effective controls for its information security risks, based on its own assessment and evaluation. True learning and development happens when we start figuring out what is important to our business and how we want to tackle the risks - rather than following the standard as a generic manual for security. ISO/IEC 27001 does not prescribe a one-size-fits-all solution, but rather a customisable and scalable one.
Taking the next steps towards improved information security
While it may seem contradictory, implementing a structured approach for information security management actually gives you the freedom to plan and implement your own way to improve and develop security. Having a standardised framework allows you to focus on what’s relevant: minding the risks that are specific to your business, meeting your set objectives and building a security culture that fits your company. Once fully implemented, you can rely on continuous processes and an annual clock of regular activities providing you the frame for onboarding new requirements and addressing emerging threats as they arise. At the same time, security is not only the concern of the CISO or the cybersecurity team, but you have colleagues across functions, looking after their own security responsibilities and tasks.
To achieve the certification, we recommend a realistic but ambitious schedule, in order to keep the positive momentum all through the program. Depending on the current ISMS readiness and maturity as well as the chosen scope, we have learned that an ISMS implementation and achieving ISO/IEC 27001 readiness requires approximately a calendar year of project phase. Our recommendation is to have someone on board with the right experience to tell about the easy wins, common pitfalls and success factors from this kind of project. During the past years we have walked alongside our clients on their ISMS journeys and I am happy to say that all of them have been successful - in more ways than just achieving the certification.
Contact us
