We recently decided to formalise our ISO compliance and achieve certification for Information Security (ISO27001) and Business Continuity (ISO22301). We found the process a little opaque and hard to predict, so we thought we'd write a little about what we learnt, in case it helps you with your ISO plans.
1.) Be sure to pick a reputable provider
The first thing we found out when considering becoming ISO certified is that there are a lot of companies out there that will offer to help you implement the policies, processes and procedures required to meet the standards, and then ‘certify’ you as compliant. What you’ll learn is that only certain companies are approved by UKAS to certify you and, in order to be objective in their audit, they can’t help you with implementation (or else they’d be marking their own homework). Oh, and one key point – you can’t get the ISO standards themselves for free, but definitely get them. You can’t implement ISO without knowing the standards you’re supposed to be meeting.
2.) You can’t achieve certification overnight
You need three months’ worth of evidence of adherence to the policies, processes and procedures to start your ‘Stage 1 audit’ and then it’s recommended, depending on your size and how well you think you’ll do in Stage 1, to leave at least a couple of weeks between Stage 1 and Stage 2. Stage 1 is a ‘tell me’ test. The auditor will collect all your documentation, ask you questions about it and review key documents like your risk log and results of your most recent internal review or other audits. Stage 2 is a ‘show me’ test, where the auditor will ask to see evidence of the processes being followed, your policies being iterated over time, and your procedures being followed.
3.) How big do you have to be?
We’re a small tech company so, while giving us some advantages in terms of our flexibility and ability to implement new ways of working quite quickly, it was quite an effort to produce the level of documentation required for processes and procedures that, at our size, are just common sense or don’t require that level of enforcement.
So even if you’re running a fairly tight ship, as we were, you’re still going to have to sink quite a lot of time into the documentation to prove you’re running a tight ship.
4.) What is an Information Management System?
ISO isn’t about making your information more secure or more resilient to disasters. It’s about ensuring you have the systems in place to effectively manage your information security risk. A subtle difference but an important one.
Your Information Management System (IMS) is a network of related policies, procedures and processes that, combined, ensure you’re aware of the risks and you’re managing those risks effectively. An ISO auditor isn’t going to fail you for not having a 24/7 Security Operations Centre in place, monitoring every aspect of your infrastructure for an attack. They will, however, if you don’t have a risk of attack in your log with an appropriate and proportionate risk reduction strategy.
5.) How much effort does it take to maintain?
The ISO calendar looks something like this:
In year one, at least one ‘Internal Review’ (which unless you’re a fairly large company you’ll need to outsource to a different auditor than your ISO certification auditor for impartiality) and ideally at least one ‘Management Review’, usually where you review the results of the Internal Review and consider external factors, changes to policies etc.
Then your ISO Certification audit, which is in in two stages. In year two you have a re-certification audit about a year after your original audit. Between the first and second audits you need to have held the appropriate number of internal and management reviews, according to your policy for how many of those you intend to have. Each of these activities takes planning, co-ordination of documentation for review, write-up and follow-up. ISO certifications aren’t something you do once a year and then forget about.
6.) What value does it add?
Honestly, when we started, we didn’t think it would add that much value. We felt we were already compliant with GDPR and Cyber Essentials and we had plenty of good competent practitioners.
As we went through the process of creating the additional documentation required, and especially when going through the ISO27001 clauses (which list basically every risk you can think of regarding information security), we found that we were adding 2nd and 3rd level protections which, on occasion, we actually needed or used.
Overall, has implementing ISO made a difference to our day-to-day information security and disaster recovery performance? Maybe not. But has it improved the way in which we manage those things? Yes it has.