If you followed our previous article about whether ISO 27001 will benefit your organisation, you may, by now, have evaluated your strategic security goals and hopefully have a better idea of whether ISO 27001 might help you. For a little extra help with your decision about whether or not to get certified, let’s look at some common issues and decision points with ISO 27001.
Do you have the skills
Think about whether your in-house team have all the business change skills to ensure that the standard is implemented effectively. Be honest about whether they have sufficient leverage in the organisation to push through change. You should also assess whether the staff in the IT and other teams have the right background, training and experience.
ISO 27001 is a framework i.e. a toolkit that helps you to manage information security, implement governance, processes and technical controls. It may, however, be a good idea to engage an experienced professional, unless you’ve done it before.
Consider engaging an expert
If you don’t believe they have the necessary capabilities, look to engage an expert, at least for the planning analysis phase of the implementation project. Alternatively, engage your HR department and discuss training existing staff members. This will increase the implementation project timescales but having in-house skills does have long term benefits. If you use an external consultant, once your certification is in place, they can help you keep abreast of changes. Your external ISO 27001 Certification body (e.g. BSI) will also be able to keep you keep your ISMS up to date through annual surveillance visits.
Is ISO 27001 a bit of a black box?
One criticism of ISO 27001 is that it’s a bit of a black box for outsiders. An ISO 27001 certificate only shows you the company name, the description of the services and the period of validity of the certificate. What it won’t tell you about are issues that the auditors found, the number of security incidents that typically occur and whether they were preventable or the control measures that the company has implemented.
Customers and other stakeholders can, and do, ask about these things in addition to reviewing the certificate, but it can be sometimes be difficult to see risk/issue logs and audit findings as they are usually confidential.
Does ISO 27001 restrict flexibility?
In an agile environment, it can be very challenging to implement ISO 27001. ISO standards typically build on repeatable processes and controls which can be at odds with a flexible approach. People who work in such environments often see day-to-day operations and processes are uninteresting and restrictive and curtailing the freedom to act. They see the real challenges as lying in project work.
ISO 27001 can work in an agile environment but the documented management system needs to be light on process and focus more on policy i.e. clear on what must happen, not necessarily prescribing on how it happens and accepting it can happen in different ways on different occasions. It does mean you need a clear picture of how you evidence that policy requirements have been met.
ISO 27001 and top management involvement
This is the one ISO 27001 implementation fact that everyone trots out. That’s because it’s true. Top management must be involved in the ISO 27001 certification process and oversee the ongoing maintenance. ISO 27001 is not a quick fix for operational issues. Management needs to stay abreast of security requirements, provide resources and be willing to act in when problems arise. Without this it’s not really worth starting.
Ultimately, ISO 27001 is an excellent tool to help your organisation manage information security issues. But, as with any tool, you must carefully assess whether it fits your needs. Be clear about what you are trying to solve, the capabilities and characteristics of your organisation and the environment in which it operates?
If you are considering implementing ISO 27001 or need assistance with any aspect of Information Security or Cyber Security, please feel free to get in touch with us at KRYPSYS via our Contact Us Page