ISO 27001 & ISO 22301

There are probably two main thoughts managers have when starting ISO 27001 implementation:  (1) we’ll pay quite a lot of money for something we’re not sure is worth it; and (2) the annoyance of maintaining such a system will cost us even more.

Yes, ISO 27001 does require an investment, but I would strongly argue that such investment pays off very quickly (see Four key benefits of ISO 27001 implementation). The bigger problem here is this: how to minimize the costs of running such a system, especially the time required of employees that have to “lose time dealing with all that documentation.”

And yes, I do agree that very often large quantities of documentation or inappropriate documentation is a problem – it simply takes too much time to comply with it (and to maintain it) without any obvious benefit. Therefore, here are 5 simple principles you should bear in mind when developing your ISMS:

Don’t get too ambitious

Basically, create only the documents you really need – if you’re a company of 10 employees it is not likely you’ll need a written description of the operating procedure for a security committee.

How would you know which documents are needed? You should start from ISO 27001 clause 4.3.1 where all the mandatory documents are listed (see also Mandatory documented procedures required by ISO 27001); add to this documents required by other interested parties (legislation, agreements with clients and partners, etc.), and areas that are very complex or are very risky – they normally need policies/procedures to define operating rules.

Bottom line is – the purpose of documentation is to serve your company, to describe the processes to your employees – not to satisfy the certification auditor.

The documentation should be written by those who will be using it

Not only do you need to avoid unnecessary documents, you also need to avoid unnecessary content in required documents. Very often I see consultants or security experts pushing too much text into a document that could have been much shorter (and easier to comply with).

It would be best if the documents are written by the employees who will be using those documents in day-to-day operations – they will make sure all the unrealistic parts are removed because otherwise they would make their own lives miserable.

Get commitment in the early phase

And having miserable employees is the best way for them to start avoiding compliance with such documents, which will contribute to the general consensus regarding the “needlessness of such documents.”

To avoid such an image, besides including the employees in writing the documents, it is also important to run awareness and training programs – such programs should run parallel to the implementation of documents/controls, because once documents/controls are implemented (without proper preparation), the image could already be turned irreversibly in the wrong direction.

Maintain the documentation

Did you ever try observing an outdated procedure? Pretty much a time-wasting experience, wasn’t it? To avoid this, you need to make sure your documentation is up-to-date – to achieve that, these elements need to be in place: (1) each document should have an owner who should periodically check whether the document needs to be updated; (2) regular and thorough internal audits should find irregularities in the documents; and (3) corrective and preventive actions should be effectively implemented so that all nonconformities are continuously eliminated.

Measure if you achieved what you planned for

Measuring information security effectiveness is still considered to be something almost mystical; above all, it is thought of as THE overhead.

But I would argue differently – if you cannot prove that information security makes sense, it will always be perceived as an overall overhead, wouldn’t it? So in my opinion it does make sense to set some clear objectives (they don’t have to be numerous) and occasionally check whether you have achieved those. Such checks don’t have to take too much time, especially if you already have some kind of Balanced Scorecard in place – and it will show very vividly to your top management whether an investment in ISO 27001 did make sense. If it did, they will make an even greater effort to support it.

Here you can download free preview of ISO 27001 Documentation Toolkit.

—

I noticed that many people running ISO 27001 projects who have downloaded documentation templates think “I have the templates now – the rest is easy. I’ll write a few documents, show them to auditor, and it’ll be over in a few days”.

Unfortunately, it’s not that easy. Here’s why:

1. Writing the documentation requires time and effort

You shouldn’t write the documents just for the auditor to read them – you should write them because you want to define some rules for your organization.

But if you want your documentation to be useful, you have to adapt it to the realistic needs of your company. It probably doesn’t make sense to create a rule to change passwords every month, but it might make sense to change it every 3 or every 6 months – so you have to find out what is appropriate for your level or risks and for your organization.

Further, some documents are rather complex, and require certain knowledge to write them – for example, to perform the risk assessment first you need to write the Risk assessment methodology. If such a methodology is not suited for your organization, your employees doing the risk assessment may end up spending an enormous amount of time, to eventually realize that you could have done it in a much quicker and more efficient way. On the other hand, you may choose to take shortcuts, and by doing so omit some of the requirements of ISO 27001 with the result of failure at the certification.

So you need to invest time and effort in your education, and in the analysis of your company.

2. Documentation without implementation is nothing

Once you finish writing, you realize the documentation doesn’t make any sense if those rules are not really applied in your organization. In other words, having perfect documents alone isn’t going to raise your level of security.

But the problem is – if you want to implement new rules, you have to change habits in your organization. And changing habits isn’t easy, especially if it means restricting the freedom that employees enjoyed until now (and this is what security rules usually do). Taking again the example of password policy – if no such rule existed before and suddenly you ask your employees to change passwords every 3 months, they certainly won’t be happy. Moreover, they will look for ways to avoid such a rule.

So, besides making sure this rules makes sense from a security point of view, you have to explain to your employees why it is necessary, and in case of some more complex rules you will have to explain how to do it. These are called awareness and training programs, without which you will have high chances that your employees will simply reject such a change. And these programs also require time and effort.

3. Maintenance is often neglected

Most of the companies that have completed the documentation and implemented all the rules and processes, start forgetting about the documentation – new issues keep occurring that change how things are done, but that fact is not reflected in documentation. As a consequence, more and more people notice that documents are not useable anymore, and this in turn results in less and less people adhering to them.

This happens if no one is in charge of documentation maintenance – good practice says that for each document an ‘owner’ should be designated, a person who is responsible for keeping it up-to-date. But again – this requires time and effort.

Therefore, purchasing your documentation templates is not the end of your information security journey – it is just the beginning.

You can also check out our series of video tutorials for ISO 27001 implementation which explain how to fill in the documentation templates (commercially sold videos).

Very often when I deliver free webinars on the topic of ISO 27001 certification, I notice that quite many people expect help with their personal certification related to ISO 27001 while the webinar is focused on certification of organizations.

This kind of misunderstanding is not entirely unexpected since many certifications in the security domain (e.g. CISSP, CISA, CISM) are focused on the certification of persons, and have nothing to do with organizations.

So, is ISO 27001 certification intended for organizations or persons? Actually, both.

Certification of organizations

ISO 27001 is a management standard that was initially designed for the certification of organizations. The system works like this: companies (or any other type of organization) develop their Information Security Management System (ISMS) which consists of policies, procedures, people, technology, etc. and then invite a certification body to check our whether their ISMS is compliant with the standard – this check is done during the so-called certification audit.

If the certification audit is successful, the certification body will issue a certificate which will state that the organization in question is compliant with ISO 27001.

In this case the employees working at that organization are not certified, although it has been confirmed they behave according to the standard. To read more about certification of organizations read this article Becoming ISO 27001 certified – How to prepare for certification audit.

Certification of persons

However, the whole industry related to ISO standards (certification bodies, consultants, training institutions, etc.) soon realized that if there are no qualified employees who would develop and maintain the management system, the whole concept would fail.

Therefore, very much like ISO 9001, ISO 14001 and other management standards, various trainings have been developed for individuals that need to get education for ISO 27001. There are now dozens of different trainings for individuals lasting from a few hours to a few weeks – for an overview read this article: How to learn about ISO 27001 and BS 25999-2. The most recognized trainings are ISO 27001 Lead Auditor Course and ISO 27001 Lead Implementer Course, but only for the former an internationally recognized certificate is issued (under the accreditation of institutions like IRCA or RABQSA).

This way the individuals that attend the training and pass the exam obtain the certificate that is issued to their name. But even if all the employees at a company were certified, this still doesn’t mean that the company itself would get the certificate – there is quite a big difference between certification of persons and organizations.

So ISO 27001 does offer various possibilities for certification, unlike any other standard in the security domain. The best, of course, would be to pursue both certifications – certify your personnel so that they can help your organization develop and maintain an adequate level of security, and certify your company so that the training of the individuals is done systematically and according to realistic security needs.

You can also check out our series of ISO 27001 webinars that will teach you the basics of ISO 27001.

Many readers of this blog asked me to present a real-life experience of ISO 27001 implementation in a company. Since I would be too subjective if I started writing my own impressions, I decided to interview my clients – Dragomir Perica and Ivancica Ljubic from Dabar informatika d.o.o., a company specialized in banking software development, with presence in South East Europe.

Q: Why did you start the ISO 27001 project?

A: The first reason is because the Croatian National Bank (regulator of the banking market) required us to do it – to comply with the best security standards. The second reason is that we wanted to do it because it makes perfect sense in our case – we wanted to brush up things in our company. For example, among other things, we are promoting security features to our clients, so it is important for us to act in the same fashion; besides, our IT personnel needs to perform a lot of tasks, so it is important to define rules to avoid the situations where big problems could occur.

Q: What were you most afraid of when you started the project?

A: How much time  it would take, how much the existing system would be useable, and overhead. Regarding the time, we were afraid of how much time our team would need to invest in such an implementation, and how much time we (the top management) would need to spend on it. We were also afraid of the gaps we would find between what we have already developed against what the standard requires. Maybe the greatest concern was that the standard requires quite a few documents, so the challenge was how to align those documents with our way of doing business, without getting new and unnecessary tasks – we had this negative experience with ISO 9001 implementation, where we had to write some documents because of the standard itself, with no practical use.

Q: So did ISO 27001 bring you the overhead?

A: No, or to be more precise – the overhead is considerably lower than with ISO 9001. In the case of ISO 27001 we have managed to avoid it because we have set the processes and the documentation in a useful way.

Q: What were the greatest problems in the ISO 27001 implementation?

A: Not knowing the scope of what ISO 27001 really requires – what we were expected to do; or in other words – we didn’t know whether we were going to build a skyscraper, or a small family house. We also didn’t expect the theoretical approach required for the risk assessment, we lost quite a lot of time on it – until then we always dealt with the practical things, we never had to consider security on a conceptual level. As a consequence, in the beginning we didn’t do the risk assessment right.

Q: Why didn’t the risk assessment start well?

A: Not to go into details, let’s just say that we (the top management) didn’t pay enough attention to it – obviously, such a process couldn’t be done without our direct involvement because we were the only ones with a broader picture of the company, and we could make some crucial decisions.

Actually, we feel the whole project started moving much more smoothly after we started investing more time into it. Besides, during the project we understood that it really doesn’t make sense to skip the steps you suggested to us – e.g. it doesn’t make sense to implement controls before the risk assessment is done properly. We realized this after we skipped some steps and lost sight of the process.

Q: Do you think it would be better to let a consultant write the whole documentation, or should the company’s employees run the project and write the documentation themselves?

A: An outsider – a consultant or anyone else – cannot do it. Because then such documentation would be only superficial and we would never start living with it. Someone from the outside cannot know precisely how things work in a company, what is good and what is bad.

Although, since we had no experience in such a project, we wouldn’t be able to finish it without outside help – we liked your approach where you were guiding us through all the steps, and it was us who managed the project and the documentation. It was a good experience to have someone with a fresh eye to help us fill in all the gaps.

Q: What was the greatest surprise in the project?

A: Actually, there was none – we knew we had to formalize our system and that is what we have done.

Q: Which part of the project required the largest investment?

A: Involvement of the top management. We had to invest some time into this project, which means we had to postpone some other activities; on the other hand, if we hadn’t  got involved, the project would have lasted much longer and therefore the cost would have been even higher. The investment in an alternative/backup location would have been the greatest, but since we already did it 2 years ago, almost no new equipment was needed for this project.

Q: What is your greatest challenge now that the implementation project is finished?

A: Having to live with this system. For example, we have 5 new young employees, who have no experience in security – we have to teach them to operate according to the standard. And that is difficult – it is much easier to explain it to someone with 20 years of experience, but when young people need to start working with all these documents, it is a great challenge that they do not experience it as a prison sentence.

Q: How to achieve that?

A: Continuing training. They will eventually become very good – after 6 months they will know it as well, if not better, than people who have worked with these documents for 15 years. They will learn how to work properly, but it takes quite a lot of time.

Q: When you draw the line, do you think ISO 27001 implementation has paid off?

A: Definitely. It has paid off because we found our own mistakes and corrected them. We are now much more satisfied with ourselves and with the work we do. Also, we have regular audits from our clients (banks) – when they come, we have nothing to be afraid of. A real stress relief.

You can also check out our ISO 27001 Online Mentoring (commercially sold online service).

Many people think that just by attending the ISO 27001 Lead Auditor Course they have become the ISO 27001 Lead Auditor. Well, this is not entirely true.

This article will show the steps you need to take if you want to work as an auditor for a certification body. If you want to work as an internal auditor, you basically do not need the Lead Auditor Course or anything else mentioned here – you can perform internal audits by just proving you have enough experience and knowledge. To learn more about internal audits read this article Dilemmas with ISO 27001 & BS 25999-2 internal auditors.

Steps for becoming the ISO 27001 Lead Auditor

So, if you want to become lead auditor, here is what ISO 27006 (standard that defines the requirements for certification bodies) requires:

1. Prior experience – You need to have at least four years of experience in information technology, of which at least two years on a job related to information security.
2. Pass the exam – The ISO 27001 Lead Auditor Course lasts 5 days, and on the fifth day you need to pass the written exam. Therefore, you need to invest considerable effort, not only by studying for the exam but also for attending the full 5 days of the course (if you miss a single day you will not be permitted to take the exam).
3. Find a certification body – You need to find a certification body which needs an ISO 27001 certification auditor – that may prove to be a difficult task, since most of the certification bodies already have their auditors.
4. Go through training – When you find the certification body which is interested, this doesn’t mean you’ll start auditing tomorrow – ISO 27006 requires you to go through a trainee program (or similar) during which you will attend real certification audits (done by more experienced colleagues) where you will learn how to perform such audits. Usually, this trainee period lasts 20 audit days after which you’ll be entitled to perform ISMS audits as part of the audit team.
5. Gain audit experience – To become the ISO 27001 Lead Auditor, i.e. to lead a team of auditors performing ISO 27001 audit, you need to have experience in at least three complete ISMS audits.

After you finish all these steps, you will be able to perform the ISMS audits as the team leader. So, the ISO 27001 Lead Auditor Course is just the beginning of your journey…

You can also check out our ISO 27001 Lead Auditor Course preparation training – a webinar which describes the details of the course and helps you prepare for the exam (commercially sold online training).