• (0)

    ISO 27001 & ISO 22301 Blog

    The 3 key challenges of ISO 27001 implementation for SMEs

    With thousands of organizations certified against ISO 27001, and hundreds of others working according to the principles, organizations recognize the benefits of implementing an Information Security Management System. From helping to maintain legal and regulatory compliance, to demonstrating credibility and trust to customers, to reducing the likelihood of a security breach, the advantages are plain to see.

    For small and medium-sized companies that are the most likely to manage their information security processes in house, getting ISO 27001 implementation right the first time is of utmost importance to the businesses and, of course, to their customers. Some issues that I usually face throughout the implementation process include having or recruiting the right staff to carry out the implementation; producing, controlling, and managing information; and correctly interpreting the requirements of the standard.

    In addition to the above-mentioned issues, in this article I will be sharing the three main challenges faced by small to medium-sized businesses and how to overcome them successfully.

    1) ‘I have more important things to do.’

    My approach, as one of the first steps of implementation, is forming an Information Security Committee: the members of staff responsible for the success of the project and of the overall Information Security Management System. Employees are typically selected from various areas of the business, and responsibility is delegated alongside their primary job roles. Unlike in a larger organization where there would be an entire team dedicated to the management of information security, in SMEs each member of the committee usually holds other priorities and responsibilities.

    The key to overcoming this challenge is ensuring that top management instills the importance and criticality of the system and its processes in the organization. And, the ISMS (Information Security Management System) is definitely not just an add-on. This ensures that staff members begin to view information security as just as significant as their day-to-day roles. This can be done in a number of ways:

    • Including information security responsibilities clearly within employees job descriptions
    • Setting measurable information security objectives with defined responsibilities and deadlines
    • Assigning an information security ambassador within every function of the business

    To learn more, read the article How to perform training & awareness for ISO 27001 and ISO 22301.

    2) ‘Why does this matter to us?’

    There is often a misconception within SMEs that information security doesn’t affect us on the same scale as larger corporations, such as TalkTalk (in 2016, the company was hit with a £400,000 fine for security failings that allowed a cyber-attacker to access customer data “with ease,” according to the Information Commissioners Office) and Microsoft (a worrying security vulnerability was recently revealed by Google).

    However, according to research shared by Raconteur, 59% of SMEs have been the victim of a cyber-attack. That’s more than half of us. And, if statistics are to believed, many organizations do not report an attack – meaning this figure could be even higher. We are equally – if not more – at risk by having this mindset.

    The key to tackling this risk is by getting employee buy-in throughout the organization and ensuring that the new processes for protecting information security are taken seriously. You could consider:

    • Completing training and awareness sessions with staff
    • Carrying out a dummy security breach and outlining the impacts that it would have
    • Assessing the risks and putting measures in place accordingly – people are less likely to get on board if they think what they are doing is overkill

    Learn more about benefits of ISO 27001 implementation in the article Four key benefits of ISO 27001 implementation.

    3) ‘It will take too much time’

    Additional responsibilities result in additional work, right? Not necessarily.

    An example of this would be development staff being required to test a random selection of database backups. This may take 15 minutes each week, but the aftermath of trying to retrieve that data once it is needed and it is discovered that the backup file is corrupted is much, much more time-consuming. Putting situations into context like this will help staff to understand and get on board with the new processes. As mentioned above, carrying out dummy runs of such situations will create even more of an impact.

    Get employees on board by:

    • Demonstrating the time that could be spent rectifying incidents, rather than implementing proactive measures, by putting it into the context of their role
    • Engaging employees in developing the new measures and agreeing on a manageable workload; people are much more susceptible to change if they are involved in the development process
    • Explaining the costs and even risks of company closure due to information security breaches

    The article 5 ways to avoid overhead with ISO 27001 (and keep the costs down) can help you understand how to avoid overhead costs.

    Overcoming ISO 27001 implementation challenges  

    I have shared three key challenges above, and would love to hear of any others experienced and how these were managed.

    Overall, whether big or small, all organizations implementing ISO 27001 into their organization face challenges, but what is key is how these are overcome. The main theme of this article and my piece of take-away advice is to ensure that all staff understand the importance of the standard and are on board with the changes. This will make sure that the rest of the implementation runs a lot more smoothly. Good luck!

    Use this free online training ISO 27001 Lead Implementer course to learn about the steps for implementation.