It is one thing to talk-up data security as a priority, it is another to pass the ultimate test and achieve ISO27001 certification. Here, Union Street's COO José Fernandez provides a plan of action for channel companies wanting to implement ISO.
While ISO27001 certification is widely considered to be the benchmark for standards in data security, it can be an uphill struggle for many organisations to achieve. Enter Union Street's José Fernandez, who joined the company 13 months ago with a remit to implement ISO27001. Having established a well thought out formula for success Fernandez recorded a triumph when the company was certified in October. Gaining ISO27001 certification demonstrates a company's commitment to information security and confirms that it has established robust processes for data protection. In many cases, having the certification can be a prerequisite for trading with enterprise level clients. So here's Fernandez' roadmap to gaining ISO27001 status:
Purpose
Before you can begin implementing ISO27001 the senior stakeholders in your business must believe in its aims and understand the benefits of the project. It requires support from the top. We had a number of objectives. These included improving our data security, ensuring that we are doing everything possible to protect partners' data, making sure all staff work in a secure manner and that our products and services meet the latest security standards. Implementing a sound best-practice framework for ensuring risk and data security is at the forefront of our minds.
Cost
It's important to create a budget. You need to be comfortable with the cost of completing the certification. Time spent upfront fleshing out the costs and getting approval from your finance team will make the journey easier. It will also ensure surprises are kept to a minimum. The costs you need to consider are related to training, audit and certification, external consultancy, increased IT spend and penetration testing. IT spend is probably the trickiest to predict but don't be put off by this prospect as most modern organisations will find themselves in a good place already.
Focus
To complete any major project you need focus. It has to be someone's day job to get the project done. We created a new role and appointed an internal Standards and Security Officer (SSO). The SSO quickly created a detailed project plan with key milestones, set up a project board and a risk committee made up of 'risk owners' from the various parts of the business. Assigning risk owners early was instrumental to the success of the project. It created accountability.
Document framework
Create a document framework that is simple, clear, and most importantly easy to use. No one wants to read a 50 page policy on cryptographic key management when a clear one page document will suffice. We created too much documentation at first but scaled it down to something more user friendly as we got our heads around what was needed. There are plenty of document toolkits out there to get you started.
Educate
You have to start at the beginning. Sounds obvious but if you miss this stage it's difficult to get people to understand where you're going. If the project appears to have no relevance to staff they simply carry on doing what they've always done. We started by running internal workshops to get the message across. We split these into two key areas: Why is data security important and what simple things can we do to improve it?
Empower
By creating a framework for risk identification and improvement, and ensuring everyone in the company knows how to use it, we made sure that everyone had a role to play in ISO27001. This is ongoing and probably the most important element of what we do today. Ask yourself this question: Can anyone identify a security risk (or any other type of business risk for that matter) and does everyone have a clear way of improving the way they work?
Consistency
Once we had documented our policies, processes and procedures we created department or role specific training based on that material. There is no point in going to the trouble of writing up your business processes if no one uses them. Train people and empower them to improve and refine the processes they use every day - always with data security in mind.
Friend or foe?
Auditors are your friends, so welcome them with open arms and embrace their findings. We approached all of our external audits with this mindset. It will help you to stay relaxed with the process and to appreciate that their suggestions can, and should, be used to improve your business.
Conclusion
We've experienced positive benefits having implemented ISO27001. We now develop our products with security in mind. We think about security throughout the development and testing process, and carry out external tests to make sure customer data can't be compromised. This gives us a competitive edge and provides peace of mind to our partners. Best of all, we now have clear documented working practices with an avenue for continual service improvement, something everyone in the business can contribute towards. •