Climbing the ISO 27001 Information Security mountain
The prospect of an ISO certification was a daunting one for a team of our size. We wanted to give this project the same weight as any other project so fitting this within our already busy schedule was a challenge in itself. We thought that there's some real value in sharing the experience of carrying out an internal project with you here.
Information security is key to the success of our business. The information security landscape is getting ever more complex as shown by the constant stream of news about failures in the IT process through to police warnings about phishing scams to announcements of investigations into personal data breaches.
We want to operate to the highest standard of information security to protect our information assets and those of our customers to the best of our ability. This led us to tackle ISO 27001, the best-known standard for information security management systems. It covers information security, cybersecurity, privacy and protection of personal data. All with the aim of protecting the confidentiality, integrity and availability of information assets, whether they’re physical or digital, and minimising the impact of security incidents.
Having set our sights high, the challenge we faced was how to manage a project of this size with the resources that we had available as a small business. We pulled in all of our senior team to work on this alongside their other projects and were constantly aware of the need to balance this goal with delivering the many other customer projects we had on the go.
ISO 27001 is a complex standard covering all areas of a business. There are 93 controls to consider! About a third of these are technological, as you might expect, but about the same number are organisational, and the final third are related to people and premises. This means that during the implementation we needed to think through every aspect of how we operate.
As a small business, we are tight on resources, and without the ability to dedicate a project team, so we engaged a consultant to help us with the process and made sure to choose someone who had experience working with small businesses. We started at a high level by setting up the Information Security Management System itself. We then worked to map out the standard and group together the requirements into areas to address. We ended up with 46 of these. For each of these, we then defined the work that was required and assigned it to a member of the team. Some of them were quite straightforward, but others first involved some research and investigation to make sure that we truly understood what the standard was talking about. Because the standard is designed to apply to organisations of all sizes across the world, this can be a bit tricky. The core team met weekly to review progress against a week-by-week plan. We used our project management experience to help us work to a tight timescale by dividing work up into bite-sized chunks and keeping to a regular rhythm of delivery.
There were many hiccups along the way, but after six months of hard work, we were ready for our certification audit. This was conducted by an independent auditor who had recently been certified to assess compliance with ISO 27001:2022. We were one of the first companies in the UK to go through the audit of the 2022 version of the standard, so it was a little nerve-racking all round.
We’ve realised why so few small businesses undertake this certification, as the workload required is really high. Although there is help available, and we got invaluable help from our consultant, your Information Security Management System (ISMS) needs to fit your business and the way that you operate. As no two businesses are the same, no two systems will be the same. Understanding the requirements of the standard and then translating those into something meaningful to the business is hard.
Once you’ve got through that and figured out what areas you need to cover and how you want to structure your system, the next challenge is documenting your policies and procedures. Like many small businesses, we had a lot of solid practices, but little formal documentation. ISO certification forced us to write everything down. Although it was painful, we recognise the value of this in formalising and clarifying policies and procedures and setting a foundation for future growth.
Throughout the project, there were many other demands on our time, and it would have been easy to put this one on the back burner. Solid project management is required to keep focus and flexibly adjust plans as other business needs arise. If ISO certification is a business priority, then it has to be treated as a priority and, during the implementation phase, resources have to be committed. But, this has to be done in a way that doesn’t detract from continuing to offer the best possible service for customers, so it was a constant juggling act. All credit to the team for managing this effectively and positively throughout.
We’re delighted that after months of hard work, our certification audit went smoothly. We are now proud to be certified to ISO 27001:2022. It was a huge accomplishment for the team, and we are sure that the improvements that we have made will help us to operate to an even higher standard of information security. We’re delighted to be able to demonstrate to our customers that they can have confidence in our ability to protect their information.
The story of our ISO 27001 certification shows how a small company can achieve certification with a concerted effort and reap the benefits that this brings. If you are a small IT business, we would encourage you to consider pursuing ISO 27001 certification as a worthwhile investment in improving the quality of the services that you offer.