Table Of Contents:
First of all, Happy New Year! We hope your year’s begun well and wish you the very best for the rest of it. We’ve certainly had an interesting time unboxing 2021. And that set us thinking about unboxing games, which led us back to our favourite way of thinking about ISO 27001.
Achieving ISO 27001 compliance or certification is really like playing Snakes and Ladders (or Chutes and Ladders if you’re from the US, or Moksha Patam if you’re one of the game’s ancient Indian inventors).
There’s a landscape you have to cross and rules you have to follow. Up to a point, you can move at your own speed. If you know where the ladders are, you can speed to the end. If you hit a snake, you’ll go backwards. And you’ll probably end up playing again and again.
But there’s one very important part of the game we’ve never really talked about: setting it up. After all, if you don’t make a proper start, the rest of the journey gets much harder.
Always read the instructions
That’s a pretty obvious starting point, but not everyone does it. Many organisations dive straight into ISO 27001 without reading the whole standard. They tend to jump into the management clauses without thinking about the strategy and infrastructure steps.
That’s like starting to play a boardgame when you’ve only read some of the rules.
You can imagine how it turns out.
So, we recommend buying your own copy of ISO 27001 and, before you do anything else, reading it all the way through. You’ll also need to snap up:
- ISO 27002, which explains in detail the Annex A controls that ISO 27001 only touches on. If you don’t have ISO 27002, it’s easy to misunderstand them. That can waste a lot of time and effort.
- ISO 27003, which fleshes out Clauses four to ten of ISO 27001. Again, if you don’t have it you might find yourself misunderstanding the standard and falling down a snake or two.
If you’ve chosen us you still need to read the rules, but you’ll have a lot of extra help understanding them. Our platform comes pre-loaded with explanations of every single ISO 27001 requirement, plus Adopt, Adapt, Add Content to show you how to meet them.
Set up the board
The set up stage is a big part of playing any board game. You’ve got to get everything out, set up all the counters, make sure you’ve got all the right dice and very often a lot of other things too.
And it’s not just about the game itself. Seasoned gamers know that having the right snacks and drinks on hand is key. You might have to dig out some folding chairs to accommodate all your players and make sure everyone’s got enough time to stick around and play the game.
Getting set up right is very important for ISO 27001 too. In fact, it’s almost a project in itself. You’ll need to:
- Get management buy-in, because it’s absolutely essential to the success of your ISMS and achieving compliance or certification
- Make sure you’ve got the right level of budget agreed, because if you don’t invest in your ISMS it’ll never get off the ground
- Set aside the right amount of time, so you’re free to make all the very focussed effort that ISO 27001 needs
We know how important the right set up is. So helping you get ready for your ISMS project is a big part of what we’ll do for you. That’s why we take our new customers through a series of implementation calls with our support team to get them off to the best possible start.
Find the right players
Ever tried to play Snakes and Ladders on your own? It probably wasn’t much fun. Even when you’re playing a competitive game, you need to find the right people to play with you. An ISO 27001 project is a bit more collaborative, but the principle still holds.
First of all, you need to work out who else is going to be part of the game. Of course there’s your project team. You’ll probably already have assembled them. Then you need to look at the rest of your organisation and see who’s help you’re going to need.
That’s because, while the standard doesn’t directly tell you to go and talk to other departments within your organisation, it asks you to do things that fall within their remit.
- Annex A control A.7.1.1 requires you to do relevant screening of new hires. That’s probably something only your HR people can help with.
- Perhaps you’ve outsourced key organisational functions, like IT. If that’s the case, you’ll have to bring everyone that supplies them into the game too.
Achieving ISO 27001 means collaborating with many different people and groups. So we’ve made sure that collaboration is at the heart of our platform. It makes discussion easy, and it’ll help you set targets for them and keep an eye on their progress too.
Choose the right strategy
For some reason I keep hearing the phrase “if you fail to plan, you plan to fail”. Must be something in the air. Anyway, it’s handy that it’s around because it’s very relevant when you’re playing Snakes and Ladders, or indeed any other board game.
And that means it’s also very relevant to ISO 27001.
ISO 27001 is a very open-ended standard, with no set way through it. If you start without a plan, you’ll probably get lost (much like Robin Williams’ character in “Jumanji”, who ends up trapped inside an endless board game). We’ve seen it happen to many organisations.
So, we recommend creating a clearly defined ISO 27001 strategy that helps you steer a clear path to a clearly-defined destination. Don’t start work on the standard until you know:
- What your final destination looks like
- How you’re going to get there
- Who or what you might run into along the way
Different kinds of guide specialise in different parts of the ISO 27001 Snakes and Ladders board. Our tried-and-tested Assured Results Method will take you all the way across it, from your first start-up meeting to first time compliance or certification.
Now you’re ready to play
So that’s what starting to play Snakes and Ladders has shown us about starting up an ISO 27001 project. If you’re thinking of getting stuck into one, we hope it’s helped you feel a little bit more confident. After all, as my Dad (a ferocious Scrabble player) always says:
Time spent in preparation is never wasted
But now we’re prepared! So in our next post we’ll take you through the top five ladders you’ll need to climb as you cross the ISO 27001 board…