In April 2024 MaxTAF successfully achieved the substantial goal of becoming compliant with, and certified for, the ISO27001 standard, which focuses on processes, documentation and procedures to help protect ours and our (exclusively large enterprise) client information. This standard is an increasingly important item to maintain, particularly for IT focused businesses such as ourselves operating within the enterprise space.
The scope of our information management security system (ISMS) included our products as well as our entire organisation, and also covered any of our client’s information.
This article is intended to help any small organisation understand some of the expectations they should have going into an ISO27001 certification preparation and audit, particularly if they operate in the enterprise IT environment.
Introduction
At MaxTAF, we’ve always taken data and network security seriously. However, like many small businesses, we initially lacked the time and resources to formalize our processes. Instead, we preferred a security-by-design approach. Over time, the necessity for formal compliance with the ISO 27001 standard became apparent due to the increasing complexity of our systems and industry requirements.
The Beginning
In 2022, we made our first attempt to formalize an asset register and develop a security policy. This initial effort, along with internal auditing, led to the beginnings of a documented ISMS and revealed certain vulnerabilities. It also consolidated knowledge across various departments, advancing overall knowledge cohesion. However, other priorities prevented further progress, and we didn’t pursue ISO 27001 certification for another 18 months.
The Decision to Pursue Certification
In November 2023, during a brand overhaul, we decided that ISO 27001 certification was essential to remain competitive. We initiated a project to formally go through the 27001 process and achieve certification. This required a steep learning curve for the entire team. Here are some key learning moments we’d like to share with anyone aiming for ISO 27001:
Understand What the Standard Is
We initially misunderstood ISO 27001, thinking it was solely about cybersecurity and making systems impenetrable. ISO 27001 is actually about creating policies and processes that ensure robust management of information security. It’s less technical and more organizational. Compliance involves adopting an ethos of reliable and accountable information protection.
Actionable Insight: Focus on developing robust policies and processes, not just technical defenses.
Identify and Mitigate Risks
The standard helps you identify threats and risks to your business and information systems, come up with plans to minimize these risks, and have strategies in place if those risks materialize.
Actionable Insight: Conduct a thorough risk assessment to identify and address potential vulnerabilities.
Understand Annex A
Annex A is an exhaustive list of best practices. While the standard allows for some non-applicability statements, some clauses are mandatory. Understanding what can and cannot be removed from the scope is crucial.
Actionable Insight: Familiarize yourself with Annex A and determine which controls are relevant to your business.
Manage Your ISMS
ISO 27001 emphasizes organizing, versioning, and labeling documents to ensure clarity and relevance. Proper documentation management was a strong recommendation from our auditor, highlighting continuous and accountable improvement.
Actionable Insight: Implement a robust document management system to track changes and improvements.
The Audit Process
The initial audit phase focused on ISO documentation rather than processes. Our auditor explained what information was needed and noted that future audits would emphasize demonstrating compliance.
Actionable Insight: Prepare comprehensive documentation and be ready to show how you meet the standard’s requirements.
Flexibility for Small Businesses
ISO 27001 is designed for both small and large organizations. Even if your ISMS is immature, showing intent to improve can help you achieve certification. As a small company, compliance aligns you with other organizations that depend on ISO 27001.
Actionable Insight: Don’t be discouraged by the size of your organization; focus on continuous improvement and compliance.
Get Expert Help
If you’re inexperienced, consider hiring consultants who can conduct informal assessments and audits, and explain complex parts of the standard.
Actionable Insight: Invest in expert advice to streamline your certification process.
Purchase ISO 27002
ISO 27002 elaborates on what ISO 27001 is looking for, making it easier to prepare for and pass the Annex A section of the audit.
Actionable Insight: Use ISO 27002 as a companion guide to strengthen your compliance efforts.
Allocate Time and Resources
We dedicated a subject matter expert full-time to develop our ISMS, involving extensive meetings with stakeholders. This effort led to a comprehensive asset register and threat list, resolving vulnerabilities quickly.
Actionable Insight: Dedicate sufficient time and resources, and involve relevant stakeholders throughout the process.
Use Tools Like ChatGPT Responsibly
We used ChatGPT to draft the bones of our ISMS documentation, but it’s crucial to review and edit outputs to ensure relevance and accuracy.
Actionable Insight: Leverage AI tools for efficiency, but always validate and customize the outputs.
Cross-Reference Documentation
Highlight the specific ISO 27001 clauses a document or section relates to. This helps auditors and makes your ISMS highly traversable.
Actionable Insight: Cross-reference your documentation with ISO 27001 clauses to facilitate easier auditing.
Understand Audit Phases
The audit typically has two phases: an initial overview and a detailed line-by-line check. This system lowers the expense risk if the auditor doesn’t see the point in moving past phase 1.
Actionable Insight: Prepare thoroughly for both audit phases to ensure smooth certification.
Address Non-Compliance Issues
You have space to address observations and minor non-compliances before final certification. We had one minor non-conformity but resolved it quickly.
Actionable Insight: Address any non-compliance issues promptly to stay on track for certification.
Final Thoughts
Approach ISO 27001 with the mantra “keep improving.” The ISO body emphasizes continuous improvement, flexibility, and high standards. By complying with ISO 27001, you contribute to a more trustworthy world while enhancing your organization’s accountability.
Actionable Insight: Embrace a continuous improvement mindset to maintain and enhance your ISMS over time.
ISO 27001 certification is a journey that starts with the decision to improve continuously, extends through thorough preparation for certification, and persists through ongoing optimization of your ISMS.
Leave a Reply