One of your business goals for 2017 might be to try and make your business stand out, one of the ways that you might seek to do this is through accreditation with a recognised international standard. There are a few standards that are applicable to almost every business, indeed the one that seems most ubiquitous is ISO 9001 - to show you can provide a consistent product or service often alongside excellent customer service.
As a small company we thought that becoming accredited with the international standard of ISO 27001 Information Security Management, would be a good idea to back up our claim that we are responsible data handlers; that our systems are built with security in mind and that we put a great deal of thought into information governance. We often work with sensitive personal data and we had often seen that providing evidence that you were ISO 27001 certified often circumvented some parts of tender exercises, meaning a check in a box rather than explaining processes over multiple-part questions. A massive time saver! When Cloud Data Service became two years old, one of our clients indicated that they would may need to re-tender for the service that we were supplying and that they usually prefered suppliers to be certified.
We took the hint and bit the bullet.
How not to do it
We initially engaged with an external consultant to take us through the process of becoming ISO 27001 certified as at the time (May 2013) we had no previous experience in doing anything of the kind, and we believed that it would be a arduous process. This would be our first mistake.
The consultants were incredibly unhelpful, whenever we asked anything they prefered to do it for us instead of telling us why something had to be the way it was - in hindsight keeping us in the dark I guess is part of their business plan, so that we would have to continue to engage with them in the future to do ISO work for us at great expense.
We continually questioned why we had to do something in a certain way (their way) but then conceded that they new best and that we just had to do that way.
The main help that they gave us consisted of giving us a great bundle of template documents that they had hastily added our company name to and not done any more customisation after that. (There was at least one document that they didn’t even bother changing the previous company’s name to ours!) Many of the documents repeated themselves and often contradicted themselves at the same time, it was wholly confusing.
When it came time to engage an external certifier, the consultancy firm pushed us through the first part of the process with no further help. We struggled through the very stressful first audit wholly unprepared for what the day would entail. Thank goodness the auditor from the certification company we chose was understanding, we scraped through and the auditor suggested some things that we could improve on after the audit was wrapped up.
Then came the biggest headache, some of the points the certification company wrote up in their report - the consultants disagreed with. We were in the middle of a tug of war between the two of them, stuck between letting the consultants get on with it and wanting to do things right for the certification company. When stage two of the initial audit came around, the consultancy firm insisted that they would send a member of staff to “assist” us in the audit.
He was over an hour late.
The contract we had with them was to see us through the Stage 2 audit. They had seen it through and now that was it. But there was one final kick in the teeth: They had been contracted to see us through to certification of ISO27001:2005 - the current version was 27001:2013. (We had first engaged with them in May 2013, the new version came out four months later.) We had six months to update everything to the new version of the standard. And now we were on our own…
The consultancy firm had originally produced some reports from software that cost £600 per year, although we are invested into putting some resources behind our ISO journey we just didn’t have the time to enter all our previous information into a new install of the software. We decided to look into some alternatives and chose InfoSaaS, we pay monthly for cloud based software that complies a Statement of Applicability from the controls that we’ve selected to apply to the risk assessments that we have entered. It covers all the bases, and is a much simpler solution for a small business such as ourselves.
We’ve now had two surveillance audits that we’ve passed without any non-conformities and have a robust system for recording information security evidence and processes.
One of our business goals for 2017 is to maintain ISO 27001 certification, and that’s now an easy one checked off our list.
How to do it
ISO certification isn’t something that you can do once and then it’s sorted, it needs to be something ingrained into your work that underlines everything that you do and needs to be keep it up to date. Hopefully already a lot of your processes contain elements of information security, you just need to document them in a way that is easy for you and obvious to anyone that would come to check on them.
- We have policy documents and documented processes stored in Google Drive - Google Docs tracks all changes of the documents and allows for collaboration between colleagues and for sign off.
- We use Trello for the recording of certain processes, such as training and tasks. We also have keep track of things like user rights over all the software we use on there, so at a glance we can see which staff member can access what.
- And we use InfoSaaS for information security incidents and controls accepted.
In short, if you’re a small business;
Don’t use a consultancy unless you plan to stay engaged with them and have the budget for them effectively “do it for you”.
Do make sure it works for you, using free or cheap tools that reflect the way you work!
I’m not an expert but if you’re thinking about going down the ISO27001 certification route or have just started, if you want someone to chat to about it, or just a sympathetic ear, the coffee's on me. Just drop me an email firstname.lastname@example.org