The ISO 27001 document toolkit – is it an asset or a liability?
If you are considering an ISO 27001 document toolkit, read this first. 2011 was a year when quite a lot happened. A royal wedding, an Arab Spring, Amy Winehouse dying (along with many other notable characters), and some terrible earthquakes around the world. We also had our first earthquake in Alliantist too (relatively speaking it was a nasty shock); a need to achieve ISO 27001. And achieve it with an independent UKAS certification to satisfy our most important customer. So we nodded our heads to the customer and went away to find out what was involved. The tremors continued for some time afterwards.
At that stage (many years before we developed ISMS.online) we literally had no idea what an information security management system (ISMS) was and we knew nothing about ISO 27001. The customer involved loved our specialist pam secure cloud software service and told us that the ISO 27001 information security management system standard was becoming necessary because they were seeing our platform as essential for sharing more sensitive information than before.
We did what most people do when they need to research something; search online. We also had to hope there was a quick ISO 27001 implementation win available at a price we could afford because the cost was not factored into the agreement concluded with the customer, and we had to do it quite fast. Afterall, who budgets for an information security management system when they don’t understand what’s involved?
Are searches for fast ISO 27001 implementation, and, free ISO 27001 documentation, oxymoronic?
Early searches led us to understand that having ISO 27001 documentation was important. That led to searches for free ISO 27001 documentation templates, free ISO 27001 tools, and ISO 27001 document toolkits along with data protection toolkits. And we checked out the paid stuff too as we all know, free rarely is in practice. The internet and this topic has obviously come along way in 8 years and so has regulation with things like GDPR meaning information security management is even more important to everyone now not just the educated customer. It is easy to laugh about our naiveness now, but as a result of the marketing and our lack of knowledge we were hooked into the initial attraction of ISO 27001 document toolkits as ‘the quick fix’ to get our independent ISO certification.
So we purchased a ‘comprehensive toolkit’ from well known information security management vendor and thought we’d done well only spending around £1,000. Then we bought the ISO 27001 and ISO 27002 standards which were about £100 each. That latter decision was pivotal for us for many reasons, not least understanding the standard structure, the numbering and being much clearer on what all the expectations were.
The toolkits turned out to be a poor scope of basic excel and word documents with old fashioned version control mechanisms and no clarity for what we were supposed to do next. Could we just tweak those ISO 27001 templates, dump that into a google drive or sharepoint site and show the external auditor we were ready for our Stage 1 Audit? Not quite. We wasted lots of time on trying to figure that out. The opportunity cost of our consulting day rate was becoming significant and we were no closer to the goal of a certified ISMS that our customer could trust.
On reflection it is analogous to the purchase of an umbrella for solving an earthquake risk; a possibly helpful asset but nowhere near enough, and you could have spent that money more effectively. Perhaps it is even a liability if you were to also get stabbed in the eye by the pointy umbrella too when you were unsure what to do with it during the earthquake……. I’m obviously pushing analogies and mixing my metaphors a touch far. The literal point is that ISO 27001 documentation in itself is not enough and the ISO standards experts have clearly stated that a ‘management system’ is the important thing to achieve.
What does ISO 27001 document toolkit really mean?
Is it pushing the concept of ‘toolkit’ and ISO 27001 tools too far when you all you get is a bunch of documents and spreadsheets? Perhaps, although wikipedia mentions spreadsheets as an example of a tool! Then there is the ‘toolkit’ and ‘toolbox’ itself, which means different things to different people.
Imagine this for your tools and toolkit: looks appealing but unlikely to do the job well unless you are around four years old.
Versus this for your tools and toolkit: comprehensive, well organised and quick to find what you need when you want it and simple to use by inexperienced professionals too. But it might also cost a lot more and not be what you really need too.
In reality when information security e-commerce sites and consultants talk about toolkits what they really mean is ISO 27001 documentation. The actual content quality, scope and guidance with it can vary from
- A simple pack of ISO 27001 word document templates with limited sample content (and perhaps encouragement to buy consulting resource to make it relevant to your organisation)
- As above with basic excel spreadsheet templates e.g. to use as an operational risk register (not quite a tool in our book but if it’s good enough for wikipedia)
- As above with associated guidance (supplementary notes)
- As above with supporting videos/tutorials
- As above with a larger amount of the ISO 27001 requirements and Annex A controls templates added
None of these actually achieve ISO 27001 success alone nor do they create an information security management system per se.
Are ISO 27001 documentation and guidance ‘toolkits’ comprehensive?
In order to achieve ISO 27001 and get an independent certification, there is a need to describe and demonstrate documentation (content) working in practice for around 140 specific activities. That includes the preparation, meeting ISO 27001 core requirements clauses and addressing the Annex A controls. So having the documentation is one thing, demonstrating that it is relevant to your organisation and you are living the management system in practice is another.
It is therefore important to qualify carefully what exactly is included in a documentation toolkit. You don’t want to get a Bob the Builder partial toolbox with quality fit for a four-year-old user when what you really wanted was the grown-up comprehensive Snap-on tool set. Equally, why buy a comprehensive toolset when you already have the spanner and hammer equivalents. In practice, very few organisations actually start their implementation from zero. We’ve created an ISO 27001 implementation approach called ARM; the Assured Results Method. It helps organisations achieve the standard by building on what they have already and being pragmatic in their approach to ISO 27001 certification.
How easy is it to actually use ISO 27001 documentation toolkits?
It depends on the quality and scope of what you purchased, and what else you have to operate and manage your ISO 27001 management system as well. You’ll want to easily adopt, adapt and add to the documentation and tools in order to make it relevant to your organisation’s desired way of working.
With the power and affordability of technology, you’ll want to have a digital management system to help coordinate and control your documentation, showing that you review it regularly, as well as ‘live and breathe’ all the relevant requirements and controls in the way the standard expects. Whilst there are many different ways of doing that, we’ve identified what we consider to be the key characteristics of ISMS software.
What do we think about off the shelf ISO 27001 documentation toolkits?
ISO 27001 documentation is important, and as noted above, probably the first thing that people search for even today when they are new to the standard. Many enquiries that we receive today for ISMS.online start with the comment “we recently purchased a document toolkit but now realise that wasn’t what we thought it was……” Sadly most of those organisations, like we did, are almost certainly going to have wasted £500-1500 and their time getting to that position.
It is really important that you not only describe the content, but also demonstrate that whatever policy and control documentation you are using, that is evident in its operational use. For example if your policy says you use 2-factor authentication and have systems administrator permission controls, make sure that you can show them in practice to an auditor. You can’t just have a risk management methodology in a standalone document, you have to identify and manage risks regularly in practice – if following that policy in practice is hard or not going to happen because the policy or tool is clunky, your certification efforts will fail. Therefore documentation toolkits can be an asset or a liability, depending on what you buy, where you get it from and how you go about using it. Caveat emptor!
We have thought long and hard about what level and scope of complementary documentation should be provided with ISMS.online, for those that want a head start. We ended up with the view that we can, ‘hand on heart,’ help organisations with up to 77% progress on all their requirements and controls documentation the minute they log on, with our material being so easy to adopt, adapt and add to versus others. It reduces the time spent significantly and saves a huge amount of money. Feedback from customers suggests it is the most comprehensive suite of materials out there, especially when complemented with our Virtual Coach service and ARM that helps accelerate ISO 27001 implementation.
More significantly we made sure that all the content forms practical and actionable documentation within the ISMS.online management system. After all you have got to have an information security management system for achievement of ISO 27001 and a document toolkit is just not enough no matter how good it is. We found that to our considerable cost many years ago, and it’s a shame others still fall into the fissures (back to that earthquake;), but with ISMS.online now available, you don’t have to be one of them.