Many organisations see ISO 27001 implementation as probably difficult, slow and expensive. Sadly, some ISO Consultants are quite happy for this illusion to remain. The clock ticks, the documents get bigger, and the fees roll in, as I’ve discussed here (where I also give outline costs and time scales)
Of course, information security is a serious business, and requires focus. However, it is often made over-complex. ISO certification seems hard to attain, difficult to understand, and disengaged from normal business life.
Therefore, in the pursuit of clarity and simplicity, I set out to create a ten-point guide. It’s not “The Answer”, but a beginning, a framework of “how”, rather than “what”. And. of course, it’s always best to discuss these things face-to-face.
So, some basics:
1 – Gain Commitment from Senior Management
ISO 27001 is not an IT department standard, but a company-wide standard. Describing the effects of an IT security failure across the whole business may just get their attention and focus.
2 – Engage the Whole Business via Good Internal Communication
IT departments can frequently be their own worst enemy.
As per point 1, graphic and frequent portrayal of a security breach will help everyone realise that ISO 27001 implementation is a shared responsibility, not a mere IT administration task.
3 – “Where Are You? Where Do You Need To Be?”
Examine your current information security systems with potential ISO 27001 demands. It is quite possible that you are already using parts of “best practice” already. Reinventing the wheel is not required.
A good ISO 27001 system will be designed around your current situation. Companies are often severely challenged by the prospect of ISO Certification. However, they discover that they are using some of the component principles already.
4 – Look Outside
Feedback on current information security from customers and suppliers is highly useful. Ask what their requirements are, based on your forthcoming ISO 27001 implementation and certification.
This is often an excellent source of “pointers”.
5 – Establish an Implementation Team to Get The Best Results
Time to leave the IT department ghetto and “share the good news” about security.
Furthermore, if you have some corporate “champions” throughout the company, it’s also going to help with point 2 above.
6 – Have a Plan
Roles, responsibilities and timescales need to be made clear. Add too many team members, and they will generate more heat than light. Implementation is unlikely to go smoothly. Adjustments are always necessary.
The key issue is to progress and not duplicate activity. A framework and objectives will save much time and energy. Most importantly, Getting started is good. And often the hardest part.
7 – What Does The Standard Say?
Get an ISO Consultant on board who will be able to translate and apply the basic principles of the ISO/IEC 27001 standard to your business. Your certification auditor will be looking for this theme in your activities.
8 – Sell The Concept to The Company
Staff motivation is essential. Training and incentives will help, but keeping it simple and accessible will be the key.
Most certainly, you will have to “sell” the changes to your colleagues. However, make sure that you “sell the benefits not just the features”.
9 – Get Some “Buy In”
Raise Some Champions. Share that ISO 27001 should be “done with” not “done to” staff. Getting them to train as internal auditors is a major step. The most vocal “champions” will be the early adopters. Sadly, your IT team is not all-seeing and all-knowing. A wider company team will have insights from their daily work that only they themselves could ever discover.
ISO 27001 needs to escape the IT department at the first opportunity in order to be truly effective.
10 – How Are We Doing?
Your ISO27001 management system needs frequent review in to continually improve. “Constant change is here to stay”. ISO27001 is a journey, not a destination. Starting is often the hardest part.
Furthermore, its champions need to realise that it needs to adapt and change as rapidly as the IT (and your own industry) does.
Meanwhile, if you need a helping hand, impartial advice, or “boots on the ground” then let us know.