By Rob O’Farrell, CTO at ID-Pal
Not all ways of protecting yourself are made equal. A locked door is of no use if the window is left open. Just like physical security, there are thousands of ways to approach information security management. The approach we choose is incredibly important to the outcomes we achieve. From the outset of ID-Pal, we made a deliberate choice to prioritise information security. We wanted it to be an integral part of not just our product, but also our entire work process. While it requires careful consideration and upfront effort, when implemented correctly, it seamlessly integrates into our work, becoming a natural outcome rather than an additional burden.
In this article, I aim to provide insights into our journey of developing a fully integrated Information Security Management System. I hope to present a unique perspective on achieving ISO 27001 certification as a natural outcome of running a well-organised and efficient business. By sharing our experiences, I aim to offer a fresh approach to information security within an organisation.
While there are many excellent companies that provide checklists and support for achieving ISO 27001 certification, such as our trusted partners, Waystone Compliance, this article takes a different approach. Instead of simply offering a checklist, I aim to provide practical advice on how to build an effective system that requires minimal effort to maintain while offering optimal protection for your business and clients. The focus here is on creating a robust and streamlined system that seamlessly integrates information security into your organisation’s operations.
What is ISO 27001?
The ISO 27001 standard provides us with a comprehensive framework that outlines the key areas to address when implementing an effective Information Security Management System (ISMS). It serves as a guide for ensuring that all necessary aspects of information security are considered and incorporated into our operations. It is important to recognise that there is a huge difference between Information Security, and an ISMS. So, what is that difference?
Understanding security controls
We implement firewalls, strong passwords, anti-virus etc. as “controls” for Information Security. Furthermore, these are all technical controls. What if the person managing your firewall is compromised? What if the firewall is a single point of failure? It is crucial to establish suitable measures to ensure the selection of suitable candidates and provide them with appropriate training. It is important to recognise that controls extend beyond technical aspects. The controls to be considered are contained within the ISO 27001 standard. However, if there exists an entire separate standard solely for controls, then what is the ISO 27001 standard about?
What’s in a system?
To ensure the implementation of effective controls and their continued effectiveness, it is crucial to establish a suitable Management System. It is imperative to meticulously define every aspect of this system to eliminate any potential oversights.
That includes defining things such as:
- Who is involved?
- What are their responsibilities?
- What are we trying to protect?
- Whose perspectives do we need to consider (Interested Parties to use the correct term)?
- How can we assess the potential risks associated with the assets we aim to safeguard?
ISO 27001 provides a set of clauses that outline the key considerations necessary for establishing a robust system. These clauses serve as a valuable guide, ensuring that all essential aspects are taken into account during the setup process.
A system is made up of multiple documents that define everything from “Why should I do this” to “How do I do this”.
Above all, an Information Security Management System (ISMS) highlights the importance of demonstrating a high level of commitment from senior management in establishing and overseeing ISMS. The inclusion of senior management commitment in the standard is not without purpose: When your staff witnesses the seriousness with which you approach information security, it will have a direct impact on daily activities and their behaviours.
It serves as a vital catalyst for fostering a culture of information security within your organisation and the commitment demonstrated by senior management sets the tone for the entire business Failing to secure senior management’s commitment can have cascading effects on the overall information security posture of your entire business and compromising the overall effectiveness of your information security efforts.
Once you have that in place, it’s on to the audit.
The Audit Stages of ISO 27001
This overview provides a high-level perspective on the stages involved, and we highly recommend reaching out to your auditors, such as Certification Europe in our case, to gain a deeper understanding. Their expertise can be invaluable in navigating the process and alleviating any concerns or uncertainties. It’s advisable to engage with them early on to ensure a smooth experience and address any potential unknowns. Their goal is to assist you, so don’t hesitate to seek their guidance.
· Stage one audit: You’ll need to prove that you have a documented system that will satisfy the standard. Do you have any the correct policies and procedures? In the event that any aspect of your work fails to meet the required standard, your auditor will provide a detailed explanation as to why this is the case. They will document it as a “non-conformity” and allow you a designated timeframe to rectify the issue.
· Stage two audit: You will need to provide evidence that you consistently follow the documented system. Once you do that, you are certified. The certification last for 3 years before your whole system must be reviewed and recertified.
· Maintenance audits: After obtaining certification, a maintenance audit schedule is established, and typically conducted every six months. These audits are designed to assess specific parts of your system, ensuring that you continue to adhere to the standard. These regular check-ups help maintain ongoing compliance and ensure that your processes and practices remain in line with the required standards.
Implementing an Information Security Management System (ISMS)
It’s not a noose
The most important thing to know when setting off on your Information Security Management System (ISMS) journey is that the System and the ISO 27001 standard are not a noose. They are not there to restrict you, or stop you from making decisions, nor to slow you down. In fact, it’s quite the opposite.
A well-developed ISMS provides you with a structured framework to effectively handle various situations, ensuring that no critical aspects are overlooked during a crisis. By having a documented ISMS in place, you avoid the need to start from scratch or improvise when you’re under pressure. Instead, you can rely on established processes and procedures, which ultimately leads to faster and more consistent outcomes based on my experience.
I remember thinking at first that all this documentation and all these rules surely must restrict you. However, I’ve seen over time that the tools for flexibility are built into the standard. To take a few examples;
Scope for flexibility
By defining your own “Scope” for the system, you have the flexibility to define what areas should be encompassed by the ISMS. It is important to consider the expectations of stakeholders and cover essential activities without excessively complicating every process. This approach allows you to strike a balance between covering core activities and avoiding over-engineering every process.
You also define a “Statement of Applicability”: you have the ability to determine which sections of the standard are relevant to your business and exclude those that are not applicable to your specific industry or organisation.
The standard includes an exceptions procedure, allowing you to deviate from every rule within your policies when unforeseen circumstances arise. This gives you a remarkable degree of flexibility and adaptability, as it provides a defined process for determining when a rule should not be enforced.
To cover one final example, the approach to risk management involves establishing a “Risk Appetite” for your business. This may seem insignificant, but it plays a crucial role when you encounter situations where protecting against an extremely unlikely risk comes with exorbitant costs and minimal impact. You can decide what is appropriate for your business in a consistent way that you can clearly explain to your clients. This not only provides you with flexibility but also allows you to demonstrate your responsibility to your clients. It is a powerful combination that enhances both your adaptability and your commitment to client satisfaction.
Not just a simple tick-a-box exercise
It is easy to assign your certification process for ISO 27001 to a Security team and have them tick a box. You may even get certified. However, the consequences of neglecting the above considerations will eventually catch up with you. Allow me to explain a few reasons why.
For an ISMS to work, it is something that has to be thought of and applied by every employee on a daily basis. In the scenario where an employee observes that senior management either avoids discussing or dismisses the importance of the Information Security Management System (ISMS), it can have significant implications. If these employees are ambitious and witness that disregarding the ISMS has enabled others to climb the corporate ladder, they may become similarly indifferent and fail to prioritise it as they should.
There is also a practical aspect to consider. When the team responsible for building the ISMS is are not the same individuals who carry out the daily tasks, challenges may arise during the system’s implementation. While you may ask everyone to read and adhere to the documented procedures, they might find that these guidelines do not align with the real-life challenges they encounter. As a result, some employees may make an effort to engage and resolve the conflicts, while others may choose to continue following their established routines.
Who should do it?
An ISMS only works if it reflects what you really do on a daily basis. A Security Team or security-specific resources can be very helpful, but this must be viewed as something requiring regular involvement from all affected departments.
A system that everyone feels part of will roll out seamlessly. It will already account for their daily challenges. Even more significantly, having widespread understanding and buy-in of the ISMS empowers employees to recognise when changes are necessary in the policies as their daily activities evolve. Without the collective support and involvement of all team members, you may find yourself needing to redesign the entire system within just a few years!
Ask for help
Everyone should be involved, but equally speaking we can’t expect everyone to become experts on ISO 27001. I highly recommend that anyone embarking on this journey seek assistance from a appropriately skilled and knowledgeable third-party like Waystone Compliance. Their expertise was invaluable to ID-Pal during the implementation phase, providing guidance that hugely sped up the process. We had a clear vision of seamlessly integrating this system into our workflow, and Waystone Compliance’s guidance, coupled with the expertise of their Information Security Management System (ISMS) specialists, enabled us to align our goals effectively. It is up to you to be clear with your advisors that you want to put in the effort to create a fully integrated solution. They are there to guide you but they cannot make decisions for you about how to run your business.
Take your time and integrate, don’t separate
Our approach to the ISMS led to a completely integrated setup, starting from the documentation of what we do, all the way through to the daily management of that work. For example, for any clause in the standard:
- Map it to the policy that implements that clause
- From the policies identify the tracking mechanisms in place to monitor the progress of work
- Ensure you can see the status of the work and all associated risks
This means that at any given time, when I’m working on something for Information Security, any of our staff can see “why” they are doing what they do, giving more purpose to work that would otherwise be mundane. This approach ensures that we are always prepared for audits, as there is no need for last-minute preparations. It also means we can easily demonstrate to auditors the seamless thread connecting the system itself and the evidence of its utilisation. Simple right?
In order to achieve something so simple, you need to invest some effort upfront. I recommend that once you have developed an initial draft of the policies you are implementing with your expert security team, it is crucial to hold discussions with all the relevant teams involved. During these discussions, go through each point in the policy to ensure clarity and address any concerns or questions.
Following these simple steps will help you:
a. Avoid reading the document to everyone or asking them to read it
b. Rather explain why the document says what it does, and what risks it is preventing
a. Ask the team what they currently do for the affected processes and why
a. There is always some way of wording things so that you can achieve the spirit and goal of the standard, without adding unnecessary effort to daily activities
As a result, you create a simple system with minimal overhead and without losing the learnings of the people who live this work every day.
In our system, we wanted to take this a step further. We didn’t want the two-way process of education and learning to be a once-off affair. We also didn’t want evidence gathering to show we were following the system to be an overhead. Therefore, we used Monday.com to track every aspect of our system, and our daily work. Monday.com allows you to create customisable “boards” where you can track any information you like, and to discuss that information like on a messaging board. This approach enables you to have project management, designs, and ongoing discussions in a contextual manner for virtually any activity. Additionally, it offers a feature called “connected columns” that facilitates linking information from one area of your company to any other area within your organisation.
For example, we track our “Statement of Applicability” on one board, which maps to “Policies”, and each Policy maps to the Project Management boards, and Risk boards where that work is managed on a daily basis. When looking at policies, we can see any work done associated with that policy. When doing any work, we can connect back to the policy and see why we do it.
That means no manual effort to gather evidence before an audit.
That means everyone can understand why they do what they do.
That’s powerful. When you compare that to the alternative of having a set of documents that people read once a year, the difference is immeasurable. The level of insight that gives senior management into what is working and not working, allows us to stay incredibly proactive in improvements to the system.
The Argument for an Integrated ISMS
In this article I’ve highlighted how a few small tweaks in your approach can dramatically change outcomes. As a result of the approach above, ID-Pal has never had a non-conformity (major or minor). Furthermore, our system has been hailed by Certification Europe for the completely unique and very successful way in which we apply information security. You can download the full case study here.
I highly recommend taking a little extra time and setting your ISMS up the right way. Ensure you bring your team on a journey, don’t give them a set of rules that don’t make any sense. This kind of integrated approach gives better outcomes for less effort and provides massive benefits for our business every day with peace of mind for all our customers.
I look forward to the time when implementing an ISMS in this manner becomes the norm rather than the exception. I envision a future where information security is seamlessly ingrained in our everyday practices, without requiring any additional effort on our part.
Connect with Rob O’Farrell on LinkedIn here.
Winner of Best Customer Facing Experience at the Pay360 Awards and currently shortlisted for Accounting Tech of the Year the Europe FinTech awards, ID-Pal is an award-winning ISO 27001 certified SaaS solution that enables businesses to verify the identity and address of customers in real-time and meet their AML/KYC compliance requirements. The plug and play platform can be up and running in the same day, and is also available as an API/SDK. Customisable to the specific needs of any business, the solution eliminates the complexity, cost, timelines, and risk associated with regulatory compliance.