Take the ISO 27001 course exam and get the
EU GDPR course exam for free

ISO 27001 & ISO 22301 Blog

Will a piece of paper stop the attackers?

There are many skeptics who do not believe ISO 27001 can help protect their information and/or information systems; one of their main arguments is: “Writing a policy or a procedure surely won’t help against someone who wants to steal your information.”

And I agree with them – simply writing a document won’t help.

Why won’t just a piece of paper help?

For instance, a hacker who has created malicious software and managed to bypass your firewall and anti-virus software doesn’t care if you have a Network security policy or not.

What’s more, a disgruntled IT employee who wants to delete your data or wants to stop your servers won’t mind your Access control policy.

All the same, a competitor who wants to steal your most precious know-how won’t be very impressed with the Classification policy you invested a lot of time in writing.

So really, just having the documents won’t help you a lot. This is why it is important to distinguish between two types of companies: (a) those who use frameworks like ISO 27001 to produce nice documents (in a very short time) and get an even nicer certificate they can show off with; and (b) those who may or may not want the certificate, but who definitely want to improve security in their company.

You can surely guess what the security will look like in (a) type of company, so let’s not waste time on them; the rest of this article concerns the (b) companies.

Why bother with documentation?

We can take an international standard like ISO 27001 to make a case about the documentation: it is true that ISO 27001 (like most of the other ISO standards) requires writing policies, procedures and plans, to maintain records, etc. (See also: List of mandatory documents required by ISO 27001.)

But ISO 27001 does not ask you to write policies and procedures just to give the auditors something to do; this may come as a shock to you: writing documents really isn’t the main point of ISO 27001. (See also: 5 greatest myths about ISO 27001.)

The main point of documents is to help you change the behavior of your employees, to make the change in your processes. For example, you probably have very good firewalls in your company, but they may not be maintained and/or configured properly; you may have a very secure system for authentication for your email, but if your employees receive the email on their smart phones with no protection whatsoever then this authentication system is not very useful. And there are dozens of such examples even for very small companies.

So, let me draw the following conclusion: it is not the technology that is wrong in most of the companies; what’s wrong is how this technology is used. This is why we need policies and procedures: they explain to everyone how to use the technology in a more secure way, and when everyone starts behaving differently, the level of security in your company will rise. (See also: 4 reasons why ISO 27001 is useful for techies.)

Of course, if you want your documents to change something, you have to make them really usable – see this article for explanation: Seven steps for implementing policies and procedures.

Why does the implementation take so long?

Very often, our new clients ask me: “How long will it take us to implement ISO 27001?”, and for a small company of 50 employees I usually answer them something like “6 to 8 months.” “Why that long?” they ask me. And then I have to explain that you can write all the documentation for ISO 27001 in just two weeks – simply fill in all the mandatory documents and you’re done.

But what takes time is for employees in your company to accept all those changes – if you sent 20 new policies and procedures at once to them, they will look at you with the greatest contempt (of course, we all know how that approach will end). So, if you want them to really accept all those changes, you have to create documents together with them, send them one by one, and conduct awareness and training in parallel to the publishing of documents. And that takes time – thus 6 to 8 months. See also: ISO 27001 project – How to make it work.

So remember – policies and procedures are not an aim in itself. When you stop treating ISO 27001 as just a document-producing exercise, you will start getting a real benefit from this standard: your employees will start behaving more securely.

See this white paper that explains which documents are mandatory for ISO 27001, and how to structure them: Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision)

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity/information security and author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy-to-understand and simple-to-use creates a competitive advantage for Advisera's clients.

As an ISO 27001 expert, Dejan is sought out to help companies find the best way to obtain certification by eliminating overhead and adapting the implementation to the specifics of their size and industry.
Connect with Dejan: