Case study: ISO 27001 implementation in an IT system integrator company
For any major change in our lives, whether professional or personal, there are questions that come up before taking the first step. Here are just a few of the questions that you may face before making the decision to implement the ISO 27001 standard:
- Why do we need the certification?
- Where do we start?
- Do we have enough resources – whether manpower, financial, or technical?
In this article I will try to answer the questions above from my own experience.
Do we really need to implement ISO 27001, and why?
Working in the ICT (Information and Communication Technology) industry, you already use most of the procedures for safety of electronic information and documents, access control, physical security, etc., so you are probably asking yourself if you really need the ISO27001 certification.
You may not be aware of this, but the ISO 27001 certification itself brings added value to your company – besides the fact that you might need the certificate (e.g., because maybe it is part of the conditions to participate on a tender, to obtain some competitive advantage, etc.), the certification process will provide you with a method to better understand your business, business risks, weaknesses, and how to improve.
At our company, after a long brainstorming meeting discussing whether or not we needed the certificate – the final decision was that we should go for it.
We decided to implement the ISO27k standard using our own resources, along with materials we could find on the internet, without consulting any expert.
The first impression was: “This will be easy; we already have enough knowledge on the majority of the topics, and we can easily prepare for the certification.”
We started with the chapters that we were most familiar with: access control, cryptography, physical and environmental security, operations security, and communication security. We read the materials for these chapters and our thinking was: “OK, we already have all these implemented.”
We continued with the risk assessment, and we started researching on risk assessment methodologies, and this phase was something that we really didn’t anticipate. The OCTAVE approach, the Risk Management Guide from the National Institute of Standards and Technology, different spreadsheets that we found on the internet, risk owners, risk calculation – all of a sudden, it was like someone started speaking in a language that we didn’t understand. Having experience in ICT security, it was easy to define the risks, but we weren’t sure what to do further on – owners, calculations of the risk, what is acceptable risk, etc. Meetings, brainstorming, more information and templates found on the internet equaled a lot of time wasted and still no answer.
Read the article The 3 key challenges of ISO 27001 implementation for SMEs to learn more about challenges while implementing ISO 27001 in an SME.
Lessons learned, i.e., implementation tips
It was a new and interesting experience; we learned new things, we made mistakes, and we improved. So, what we’ve learned is the following:
1) Start with the risk assessment
Although you may think (as we did) that you will shorten the implementation period if you start with the chapters that you know, the logical way is to start with:
- the risk assessment, then
- the organization of information security inside your company, and then
- a list of all your documents and assets, with clear definitions of their confidentiality levels and importance, in order to prepare adequate security controls.
You cannot prepare procedures for security of the information and assets if you don’t fully understand the risks. You must be aware that it is almost impossible to provide a 100% secure environment, so you must analyze how much the information/asset is worth to you, how much it costs to be secured, and whether the costs are acceptable considering the value of the information/asset.
2) Do not fall for first impressions
It’s a well-known cliché, but in our case the implementation process really revealed to us that it is not enough to know all the issues regarding information security. In order to achieve the certification, we needed thorough analyses of the risks and our business processes.
3) Use documentation templates and toolkits.
We understood all the controls very well, but we faced a very big problem when we had to structure and write the procedures. You can purchase documentation toolkits that will provide you with templates of structured procedures that are easily adjustable to your needs, and will take away the burden of all that paperwork – which engineers generally don’t enjoy preparing.
4) Have an expert on “speed dial.”
We believe in the “in-house development” approach, but we recognize that we never would have finished the implementation without help from an expert.
5) Include your top management.
Always include top management in the decision-making process. Even if you are long-time employee and you don’t need management approval – you will need their involvement to analyze business processes and enforce the procedures. Read the article 4 crucial techniques for convincing your top management about ISO 27001 implementation to learn more.
Analyze your resources
For a small company with up to 20 employees, a team of three persons assisted by an expert can successfully implement the standard in four months.
Thorough analysis of the current technical resources must be concluded in order to have precise information on the finances needed to implement the standard. In our case, we had already implemented all of the infrastructure for security of the electronic data, physical security, and access control, but some minor investments for physical security of the hard copy material were needed.
Most of the companies working in the ICT field have also already implemented good security controls for their electronic data and physical access. So, if your company is one of those, you will actually not face a significant financial impact.
You will face ups and downs in the implementation process. But, in order to succeed, you should always have in mind that, at the end, you will have a lot of benefits. And, don’t forget to ask experts when things start becoming unclear – it may raise the implementation costs, but will definitely help you to finish it.
Use this free Project checklist for ISO 27001 implementation to help you with the implementation.