However, will every organisation suit the ISO 27001 toolkit approach? Being the cautious folks we are, we’d say “yes and no”. “It depends”.
It’s a “No if…
You Don’t Implement it Correctly.
First of all, read the standard itself. Remarkably, some businesses think the toolkit is enough on its own. You need to understand it’s scope and points of contact with your business. Occasionally, we encounter customers who can drop some key phrases, mention some parts of the standard, but are missing large chunks of understanding. They haven’t read the standard and understand it’s implementation. It’s not light reading, you won’t remember large parts of it, but reading it will give you a sobering insight to it’s scope and depth.
You Don’t do the Risk Assessments Properly.
“Risk” is at the heart of the recent revisions of standards. Risk is assessed by comparing your real-life business activities against the standard. Then creating a bespoke Information Security Management System. Therefore, rather than being a “wish list”, it needs to be written around your business. Fictional writing with no root in your daily activities, will be spotted by your auditor very quickly.
You Don’t Have Commitment from Senior Management.
ISO 27001 is about your whole business, not your IT department. Therefore, it will involve key departments and functions. It will require a commitment to a focus on realistic best practice from all. Ideally, it needs to be driven from board level. You need motivated senior staff to “evangelise” the business, looking for punctual and appropriate responses to the demands of the ISMS.
You Don’t Have Evidence of The System Being Implemented.
Your auditor cannot be duped. If an ISO 27001 toolkit stays in its toolbox, the largely fictional ISMS that makes no difference to daily business life. ISO 27001 will be the equivalent of a fake university degree. This standard is meant to make a significant practical difference to business processes, and credible proof is a key contributor to successful certification.
It’s a “Yes if…
Your Business Drives Your ISMS
(Information Security Management System)
Your ISO 27001 toolkit is just that, a toolkit, rather than the product that the tools should help you make. You have to use the tools to create something. Hopefully, you’ve taken a long, hard look at the way you do things, made some changes,and (hopefully!) documented them. Furthermore, you’ve even started doing them. A consultant can give a helpful, outside perspective on this. However, if you can create this detached, non-political objectivity in -house, then the toolkit approach will probably work.
You Have Champions.
Someone needs to manage the implementation of the standard. It doesn’t manage itself! A consultant’s fee “taxi meter” is always ticking. It’s amazing how this concentrates corporate minds to actually get things done. However, an ISO 27001 toolkit comes without the pressure of an expensive presence to move things forward. Conversely, if you have a forceful champion of the cause, who perhaps reminds the company of the need to gain the standard in order to win a particular order or tender, or even reminds everyone of the vulnerabilities of the company’s IT arrangement, then you won’t actually miss the consultant. An ISO 27001 Toolkit will work.
You are sensible about the scope.
ISO 27001 approval can be a major resource-hungry process. This is why expertise is often bought-in! Consequently, care needs to be taken to adopt a progressive approach. Is there a location, division, or sub-set of the main business that can benefit from the ISO 27001 toolkit approach first? This is a strategy that delivers quick and vital lessons learned from the struggles of implementation. These can then be rolled out to the wider business,and with greater efficiency and speed.
You Have Buy-in From The Front Line
Who are the stake-holders with hearts and minds invested in the business who want the standard implemented? I suspect everyone at some time, has had badly-planned and poorly-focused strategy imposed on them. Consequently, as well as champions, (the “top-down” approach), you need a “bottom-up” drive. A good consultant can be the catalyst of both. The best people to effect radical business process change are those who actually do the job. The ISO 27001 toolkit will give tools, framework for an ISMS, but not a “stakeholder mindset”. However, combine a good set of tools with motivation at significant levels, then ISO 27001 certification via a toolkit will work.