If you’ve recognised the benefits of ISO / IEC 27001:2013, more commonly known simply as ISO 27001 – from legal, regulatory and contractual requirements to new business opportunities – and are considering how you’ll manage implementation, we’ve outlined some key challenges faced and how to overcome them.
- Resourcing your implementation – train, recruit or procure?
- How do we manage disruption to the business?
- How do we ensure ISO 27001 isn’t just a tick-box exercise?
- How to make ISO 27001 implementation less daunting
1. Resourcing your implementation- train, recruit or procure?
With considerable benefits to having ISO 27001 certification, you’ll want to consider your options around resourcing carefully.
The challenge presented to many businesses is often in not having the internal experience and expertise to manage ISO 27001 implementation and these are the options typically considered:
- Train existing staff
- Recruit an information security expert
- Engage consultants
- Use ISO 27001 document toolkits
- Procure information security management software
These may be considered as stand-alone or combined options, depending on the size and complexity of your business.
For many businesses, there is often an external driver to be ISO 27001 certified which in turn places priority on a quick implementation. This can influence the decision of how to resource information security management quite considerably.
Information Security Management System (ISMS)
An ISO 27001-compliant information security management system provides a systematic approach to building a solid foundation to demonstrate compliance to or achieve ISO 27001 certification, as well as other national and international regulations.
- Demonstrates your commitment to information security management
- Embeds information security management as a discipline within your business-as-usual processes
- Encourages collaboration and sharing of responsibility
- Steers a roadmap to implementation, operation and continual improvement
A software-based ISMS provides a living set of policies and procedures within your organisation that are stored centrally, preferably in a cloud-based platform.
This is why an ISO 27001 document toolkit falls short. Even the most ‘comprehensive’ toolkits are essentially Microsoft Excel and Word documents with inadequate version control mechanisms and no clear next steps for ISO 27001 implementation.
2. How do we manage disruption to the business?
When embarking on working towards an ISO 27001 certification, the challenge will often be how to run this alongside everything else with minimal disruption, whilst maintaining momentum and achieving certification within your timescales.
Work as a team
You can’t implement ISO 27001 alone; you’ll need to work together as a team.
Spread the responsibility and load throughout the business, rather than creating an information security “silo”, which can sometimes happens when an information security consultant is brought in. This will minimise disruption and the journey towards and beyond ISO 27001 implementation is often more efficient and effective.
Not only this, but companies that approach ISO 27001 in a considered and holistic way remain certified by demonstrating that everyone acts properly in their day-to-day, business-as-usual operations.
During ISO 27001 implementation, communicate early, communicate clearly, communicate continually – take everyone on the journey with you. If information security management is getting in the way, you are probably doing it wrong.
3. How do we ensure ISO 27001 isn’t just a tick box exercise?
To truly make the journey effective, an organisation needs to adopt a cultural change that needs to be driven from the top with buy-in from all senior management.
Streamline with software
Utilise information security management software which guides you through ISO 27001 implementation – with templates, frameworks and policies that you can tailor.
Between your ISO 27001 independent audits you are expected to do your own internal audits (Clause 9.2) and act on the findings so build information security management into business processes by constantly reviewing and optimising your ISMS to ensure ongoing maturity.
Commit to certification
The British Assessment Bureau advises that ISO certification usually takes between three to six months.
How long it takes for you depends on your goals. If you have a tight deadline, with a prospective client contract riding on it, then you will need to commit to a quick implementation to reap the rewards of ISO certification.
ISMS.online speeds ISO 27001 implementation. With its actionable ISO 27001 policies and controls documentation you can quickly adopt, adapt and add to, it offers progress of up to 77% towards the standard, the minute you log on.
4. How to make ISO 27001 implementation less daunting
Whilst the benefits are exciting, tackling ISO 27001 for the first time can be complex and daunting to say the least.
Don’t strive for ‘perfect security’
Whilst ISO 27001 mandates the requirements for how your information management system must be implemented and operated, it doesn’t need to be perfect.
A great way to begin is to document what you do today – and you will be doing some things already – whilst identifying and recording improvements for the future that will further reduce your risks to acceptable levels.
As long as you are considering the comparative risk levels – how much risk of not implementing a control against how much risk to business from implementing the control – you are on the right track.
Remember, be pragmatic, not “perfect” when selecting and documenting your controls.
The key objective is to ensure that your security management is fully compliant with ISO 27001 whilst ensuring pragmatic, effective and efficient controls to manage your risks to an acceptable level.
How the ‘London Boris Bikes’ business used an ISMS to achieve ISO 27001
Towards the end of 2018, Beryl Bikes, who provide the bike share scheme behind London’s ‘Boris Bikes’ began exploring technology solutions which would enable the process of achieving ISO 27001 certification.
As a business working with local Government they felt that ISO 27001 was essential to demonstrating their commitment to information security management.
Heading up the project, their Head of Technology had experience of working with an Information Governance Toolkit whilst at the NHS, although other team members were less experienced and some form of additional resourcing was required.
After weighing up the costs and benefits of recruitment, using contractors, buying a toolkit or procuring an information security management software, ISMS.online was selected as the most comprehensive solution that would enable the team to learn and build their knowledge around information security and facilitate a smooth ISO 27001 implementation.
It was the integrated Virtual Coach solution, which provides instant access to videos, templates and checklists to guide their team through their ISO 27001 implementation, which gave it the edge.
This was seen, and proved to be, a way to ingrain information security management into the organisation, rather than it being a tick-box exercise. And their recent stage 2 audit and successful ISO 27001 certification, passed with flying colours, demonstrates how this approach has worked well for them.
Avoid treating ISO 27001 implementation as a one-off, tick-box exercise and deliver real value beyond a set of policies.
Implement a structured information security management system and use an ISMS that enables knowledge to be embedded into the organisation – and not just the responsibility of the IT department.
ISO 27001, like the other ISO management standards, is all about continuous improvement and is fundamentally a risk management based standard. So being pragmatic about the business risk (assuming that is also acceptable to customers), and showing improvement as part of the management system, is well received by auditors.
Need help with your ISO 27001 implementation?
ISMS.online provides you with a structured information security management system with built in tools and methodologies. Our Assured Results Method (ARM) and Virtual Coach, provide a step by step guide towards your ISO 27001 implementation – guiding you through the key decisions and implementation process.