Enter your details below and we'll get back to you.
By Katie McMillan – Senior Information Security Consultant
“Life is more fun when you treat its challenges in creative ways” – Bill Gates
There is nothing more frustrating than embarking on an exciting project and putting a lot of time and effort into something only to find that it hits a brick wall, or the progress is so slow you find that snails are lapping you. It’s hard to remain invested in something when things feel too onerous and you can’t seem to picture any meaningful progress along the way.
ISO 27001, as with many information security standards, has its own fair share of challenges, difficulties and overall bad press. But, as many have said before, surely these challenges are simply opportunities in disguise. After all, the standard itself is written to assist businesses in protecting the Confidentiality, Integrity and Availability (CIA) of information that can only benefit your company.
SRM has compiled the top 5 challenges to obtaining the ISO 27001 certification for your business, and how to counter that snail pace.
1. Risk Assessment
Essentially, risk assessment is carried out every day, by everyone. We assess situations in our everyday lives and we remediate these risks. Like crossing the road, checking the weather before we leave on a long journey or buying a new car. We unconsciously assess risk all the time, it makes sense that this should be undertaken when it comes to protecting the CIA of information.
ISO 27001 is built around a solid Information Security policy and a Risk Assessment Methodology. If this isn’t in place, then you’ve fallen at the first hurdle as there isn’t an auditor in the land who will proceed past stage one without a risk assessment. The main challenge with risk assessments is that they look scary and over complicated.
Risk assessment doesn’t have to be complicated or time consuming. Simply assessing the risk to the Confidentiality, Integrity and Availability of information, by scoring the impact and multiplying by the likelihood, you can determine an overall risk score or rating. Then by confirming mitigating actions to reduce the likelihood or impact, or both, you can re-score the risk and the risk rating will lower.
2. Ownership of the project
A common misconception of ISO 27001 is that the project should sit solely with the IT department. Unfortunately, although there are sections of controls which are relevant for IT to implement, it’s very important to ensure all the key departments within the organisation are around the table. For example, ISO 27001 has sections which relate to HR policies, physical controls which could sit with estates or facilities and data protection which can all be separate from the IT department.
It is important to check the standard to ensure you are involving all the departments within your organisation.
3. Lack of project planning
As the standard is in depth, and involves a number of departments meaning that the information may sit in various areas of the business, it can become cumbersome and unmanageable quite quickly. Some departments might be ahead of others and keeping the conversation going when people are in different offices or even different sites may put unnecessary strain on the project timeline.
It is always a good idea to plan the project thoroughly and assign a project manager to run with it. By assigning someone with full responsibility for the meetings, actions, and accountability of the timeline, the organisation can be assured that someone is maintaining control of all the various milestones.
4. Stakeholder investment
It is necessary to get the investment of the required departments, their management and the key players in the project. As cyber security professionals, SRM are often asked the question ‘Why do we need to implement these controls? We have always worked this way.’ With an ISO 27001 project, it is likely that the person running the project will encounter some push back from various teams around the why and the how.
The best advice is to split the project down into smaller chunks, so it appears less intimidating. Make sure you have a realistic timeframe so that people do not feel intimidated by having to make too many changes at once and explain the process as and when required. Be open and honest with the team and explain the benefits of certification. If you struggle, you can always point them in the direction of an SRM blog – Why get the ISO27001 certification?
5. Gap Analysis and communication
During the initial phase of planning to gain your certification, you will need to conduct a gap analysis of evidence which may or may not be missing. This can be a difficult task to handle and needs to be planned concisely. Again, keeping the right people involved is key to this. For example, if you are conducting a gap analysis, can’t find a policy of procedure; if you write one and then find out a week later that this has already been written and just stored elsewhere, then you will have wasted a great deal of time and effort.
It is key to make sure all the stakeholders are involved in the gap analysis from the start and then they can advise if some evidence is already written or a process is already followed. Carrying out a gap analysis or a risk assessment on your own will cause you more challenges and the stakeholders might not be invested in the outcome of the project. Communication is key to the outcome of any audit. Keeping people informed means they can provide valuable input into the certification process.
ISO27001 does not need to be complicated or a tiresome process. With the relevant focus in the right areas and some detailed project planning, you can achieve a positive result and in your desired timeframe.
If you are struggling with where to start and looking for some assistance with your certification project then get in touch with SRM on our website https://www.srm-solutions.com or call us on 03450 21 21 51.