How do you maximise the benefits of ISO 27001 certification? We use it as a practical tool to integrate security into our daily work, and make ISO more than just compliance, as I explain below. We hope you can find some ideas to make ISO security work in your favour as well.
In spite of being bombarded by news headlines about cyber attacks and security breaches almost every day, security still does not often reach the top of the priority list for entrepreneurs and innovators. And don’t even mention security compliance. Let’s agree on some basic terms first: Security vs Security Compliance.
According to SANS Institution, Security (aka. Information Security) refers to the processes and methodologies which are designed and implemented to protect confidential, private and sensitive information or data from unauthorised access, use, misuse, disclosure, destruction, modification, or disruption.
In contrast, security compliance is about being able to demonstrate a good security state against some standards, internal policies and external requirements from customers and regulators.
No one can deny that a good security state is important to our customers. And we need to be able to demonstrate how we actually achieve a good security state. We believe that ISO 27001 certification is not only an effective way to demonstrate it, but it also helps build customer trust, and removes hurdles that may prevent you from winning more business.
Unfortunately, it’s very common to see organisations treat compliance certification as a box-ticking exercise: difficult, burdensome and meaningless. This perception led to a divergence between Security and Security Compliance, and saw organisations who engaged in ‘box-ticking’ miss out on real benefits from ISO (building a robust security risk management program). Worse, with no benefits, they still bore the cost of the exercise—time and money they might have instead invested in building their better products and services.
Frankly, we would suggest these organisations to stay away from ISO until their mindset is changed.
When we embarked on our ISO certification project, initially the team was not sure when and how to prepare for the ISO certification process.
Undoubtedly, our no. 1 accelerator was assigning an owner.
Specifically, we assigned ownership to someone who deeply understood the security compliance landscape of the financial industry, and who proactively advocated for baked-in security for DevOps: our Security Engineer. Our Security Engineer also explained that ISO 27001 is not meant to be a security-control bully, but a tool for robust security risk management and governance. This nuance helped the team embrace a risk-based approach for security management.
Managing risks is what entrepreneurs do every day. The essence of security risk management is very similar. For us, instead of creating some artificial risk appetite, we asked ourselves a series of questions: How much risk is the business prepared to take? How likely is the application service and customer data to be compromised due to security weaknesses in people, process, technology and the cyber threats? We made sure that we took a long-term view and aligned our risk appetite to the business’s trajectory and ambition. From there, we worked out a meaningful risk-management strategy that supports us in meeting the security requirements of our local and global customers.
In addition, our Security Engineer facilitated and performed a series of exercises (such as internal cloud security reviews, threat modelling and external app penetration testing). Instead of guessing, we used real data to understand differences between our objectives and our as-built environment. Once our business-aligned risk appetite and management strategy was clear, risk mitigation and triage became much more straightforward to the team. At the same time, we started to see the convergence between Security and Security Compliance.
We had a really good story to tell (and great evidence to show) ISO auditors regarding our management of security risks. One thing worth noting is that before we pulled the trigger and booked in auditors’ time, we also engaged a reputable security consultancy to provide guidance while we were navigating the process for the first time.
Now, you may ask, “Shouldn’t ISO auditors tell you what security controls you must implement to pass the audit?” The answer is “No! Not at all.”
Forget about ISO certification for a minute. As a business owner, you need to be comfortable about how you manage risks and customer expectations. You know your business and your risks better than anyone. If you are happy, and if you can show auditors why there is no reason for them to have any objection, they will be happy too. ISO auditors will only have problems when you say you do A, but you actually do B.
Now we are getting to the convergence between Security and Security Compliance that we alluded before. That’s the secret for making ISO work in our favour, and for avoiding a documentation nightmare.
We formalised security controls, processes and tools around DevOps process. In other words, we only adopted the security controls that were mission-critical in supporting DevOps. The documentation naturally became lean, and didn’t live in some isolated Confluence space, or secret folder or Jira Board hidden from the sight of the DevOps team. Instead, it was part of the same assignment system and backlog that the team used. We have a near zero tolerance for any documentation or process that’s created only for the sake of compliance.
If you’re ready to plan your own ISO 27001 certification, five tips will help you get off to a healthy start.
1. Start the conversation early
Consult with a security consultancy early to sketch out an effective project plan if you don’t have much experience dealing with ISO 27001. Make sure that you select a consultancy who has track record of successful ISO implementations for organisations of your size. Smaller firms are typically more pragmatic, and can help you avoid unnecessarily lengthy documentation.
2. Say no to cookie-cutter solutions
A cookie-cutter solution typically leads to full adoption of all 114 security controls from the standards to every aspect of your business. That’s ineffective and inefficient. Remember, ISO 27001 is about risks and how your organisation manages its own risks. Scope out your key business processes and identify mission-critical security controls for your ISO certification.
3. Aim at sustainability to avoid burying yourself in documentation
ISO certification is not a once-and-done activity. It’s an ongoing process and should be embedded into your operational processes. So, build something that’s sustainable, otherwise ongoing ISO certification itself could introduce a risk of capability management. Don’t confuse must-have with nice-to-have security controls.
4. Prioritise risk mitigation solutions that will go a long way over patch work
Keep risk in mind when selecting technologies, and architecting designs for software and infrastructure. Adopt security engineering principles in software development process to avoid retroactive fixes after applications are in production.
5. Engage the team and bake security into everyone’s work
Don’t make security a bolt-on feature, or security compliance a box-ticking exercise. If security is treated as an integral part of the DevOps team’s workflow, it will no longer be confined to a silo where it causes a compliance burden that neither adds value to the business nor improves security.
Find ways to take more control over your ISO 27001 certification, and turn it into a good business investment.