ISO 27001 & ISO 22301

I noticed that many people running ISO 27001 projects who have downloaded documentation templates think “I have the templates now – the rest is easy. I’ll write a few documents, show them to auditor, and it’ll be over in a few days”.

Unfortunately, it’s not that easy. Here’s why:

1. Writing the documentation requires time and effort

You shouldn’t write the documents just for the auditor to read them – you should write them because you want to define some rules for your organization.

But if you want your documentation to be useful, you have to adapt it to the realistic needs of your company. It probably doesn’t make sense to create a rule to change passwords every month, but it might make sense to change it every 3 or every 6 months – so you have to find out what is appropriate for your level or risks and for your organization.

Further, some documents are rather complex, and require certain knowledge to write them – for example, to perform the risk assessment first you need to write the Risk assessment methodology. If such a methodology is not suited for your organization, your employees doing the risk assessment may end up spending an enormous amount of time, to eventually realize that you could have done it in a much quicker and more efficient way. On the other hand, you may choose to take shortcuts, and by doing so omit some of the requirements of ISO 27001 with the result of failure at the certification.

So you need to invest time and effort in your education, and in the analysis of your company.

2. Documentation without implementation is nothing

Once you finish writing, you realize the documentation doesn’t make any sense if those rules are not really applied in your organization. In other words, having perfect documents alone isn’t going to raise your level of security.

But the problem is – if you want to implement new rules, you have to change habits in your organization. And changing habits isn’t easy, especially if it means restricting the freedom that employees enjoyed until now (and this is what security rules usually do). Taking again the example of password policy – if no such rule existed before and suddenly you ask your employees to change passwords every 3 months, they certainly won’t be happy. Moreover, they will look for ways to avoid such a rule.

So, besides making sure this rules makes sense from a security point of view, you have to explain to your employees why it is necessary, and in case of some more complex rules you will have to explain how to do it. These are called awareness and training programs, without which you will have high chances that your employees will simply reject such a change. And these programs also require time and effort.

3. Maintenance is often neglected

Most of the companies that have completed the documentation and implemented all the rules and processes, start forgetting about the documentation – new issues keep occurring that change how things are done, but that fact is not reflected in documentation. As a consequence, more and more people notice that documents are not useable anymore, and this in turn results in less and less people adhering to them.

This happens if no one is in charge of documentation maintenance – good practice says that for each document an ‘owner’ should be designated, a person who is responsible for keeping it up-to-date. But again – this requires time and effort.

Therefore, purchasing your documentation templates is not the end of your information security journey – it is just the beginning.

You can also check out our series of video tutorials for ISO 27001 implementation which explain how to fill in the documentation templates (commercially sold videos).

If you think your management doesn’t have a clue what information security is all about, keep in mind that misunderstanding usually goes both ways: management often thinks you have no idea about what is appropriate for the business.

So before suggesting to your management to start implementing your information security / ISO 27001 project, you should learn about your management’s way of thinking. Here are the five main concerns your management will have when you approach them:

Is it really necessary? You have to be prepared to present the main benefits of information security, because otherwise the management won’t understand its purpose. In most cases you can choose among the following benefits: (1) Compliance with various legislation and contractual requirements etc., (2) Achieving competitive advantage in the marketplace, (3) Lowering expenses by decreasing the number of incidents, and (4) Optimizing your business operations by clearly defining tasks and responsibilities. Read more on these four benefits here: Four key benefits of ISO 27001 implementation.

Does it fit into our company strategy? Strategic fit is very important for your top management – one of your management’s primary concerns is how to keep your company competitive for a longer time period. Therefore, you have to do your homework – find out how information security can underpin certain elements of your company’s corporate strategy.

How to decrease the costs? One of the most misunderstood aspects of information security is that most of the problems (i.e. incidents) happen not because of technology, but because of human behavior. Therefore, most of the investments needed will be in defining new policies and procedures, and training and awareness programs which will prevent such incidents from happening – such investments are usually far cheaper than new technology.

Sometimes, investment in technology will also be needed – in such cases you can try to calculate the Return on Security Investment. For instance, you might try to calculate the damage that would be caused by a fire, and calculate the investment needed to prevent such damage. Just be sure not to exaggerate here, because you’ll lose your management’s confidence.

How to make sure we’ve achieved what we wanted? First of all, you need to help your management set very clear objectives – usually, those objectives will derive from the four benefits mentioned above. The second step is to set up a measurement system which will define how to measure whether the company achieved the set objectives; that system must involve clear responsibilities of who will make the reports, in which form, and who is going to read them and interpret them. Finally, a system must be in place to correct all the deviations from the objectives (be sure that such deviations will certainly happen).

What risks are involved? Management usually wants to know what is the likelihood of failure of the investment they have made. Here you need to explain to them the balance between the risks you will identify during the risk assessment and the security measures your company will invest in – the higher the investment, the smaller the chances that something will go wrong. Of course, overinvesting is not a solution, and this is why you need to leave the decision about acceptable risks to the management – your role is to present them the risks and potential security measures in an objective manner. The decision what to do with those risks is up to the management.

The point here is – the problem is not that management doesn’t want to invest in information security, but that it is either uninformed about it, or that you cannot speak the same language with your management.

By understanding the five basic issues your management is concerned with and by establishing appropriate communication with them, you’ll dramatically increase your chances for your information security project.

You can also check out our webinar ISO 27001 / BS 25999-2 management responsibilities: What does management need to know? (commercially sold training).

You have already implemented ISO 9001? You have heard that ISO 27001 might be a good idea? But how can something that has to do with quality help you implement information security?

It can, more than you may think. ISO 9001 specifies how the quality management systems (QMS) must look like, while ISO/IEC 27001 specifies the information security management systems (ISMS). Therefore, the “management systems” part is the same – so what is it actually?

The philosophy of management systems has grown from the theory developed by W. Edwards Deming during the second half of 20th century, and is based on the Plan-Do-Check-Act cycle. Basically, this cycle consists of the following: in the Plan phase you have to plan what you want to achieve with the management system, in the Do phase you implement it, in the Check phase you constantly monitor whether you have achieved what you planned, and in the Act phase you make improvements, i.e. fill the gap between what you have planned and what you have achieved.

Although this cycle was invented with quality management in mind, it was established as a foundation for all other management systems – information security (ISO/IEC 27001), environment (ISO 14001), business continuity (BS 25999-2), etc. It means that some of the elements you have implemented for the quality management system according to ISO 9001 you can use for the information security management system as well – here is the list:

• Document management – the procedure used for document management in QMS can be used for the same purpose in ISMS, with only minor adjustments
• Internal audit – the same procedure can be used for both QMS and ISMS, although the internal audit itself would usually be done by different people since it is not very likely that one person would have deep enough knowledge of both information security and quality
• Corrective and preventive actions – the procedure used for QMS can be used for the same purpose in ISMS, although it is likely that different persons will be solving issues related to QMS or ISMS
• Human resources management – the same cycle of HR planning, training and evaluation is used for both management systems; naturally, the difference is in the profile of needed skills and knowledge
• Management review – the principles for management review are the same for both management systems; although it would not be recommendable to perform both reviews in parallel, management will already be accustomed to making decisions in QMS, so they will have better understanding of how to make decisions in the context of ISMS
• Setting the business goals and tracking whether they have been achieved – the same mechanism is laid down in both standards, so management will be used to such systematic planning

Therefore, if you have already implemented ISO 9001, you will have an easier job implementing ISO 27001 (and vice versa) – you could save up to 30% of time. Further, you will have cheaper certification audits since certification bodies are offering the so called “integrated audits”, which means they will do both ISO 9001 and ISO 27001 in the same audit, charging you a smaller fee compared to separated audits.

If your QMS is functioning well, you will find your ISMS project developing rather smoothly – management will have better understanding of potential business benefits, while all organizational units will be accustomed to the necessity of defining precise procedures, responsibilities and documentation.

Having a QMS indeed provides very good foundation for information security – if you already have ISO 9001, do give a serious thought to ISO 27001.

You can also check out our free webinar ISO 27001 implementation: How to make it easier using ISO 9001.