ISO 27001 certificate is an international standard which sets quite flexible frames of how to function as a secure organisation, where the most important area is risk management.
We started to think about ISO 27001 certification last year after our annual retreat. We were inspired by a friend of our CEO who works for one of the best certifying units worldwide. He prepared a lecture and talked to our employees about security risks, especially in the digital world. We were analysing the effects of possible ransom attacks and their increasing frequency. People in LEOCODE are genuinely aware of security threats. Probably more aware than an average non-technical person. However even for them that presentation was very disquieting. That was the beginning of our journey of improving the level of security in our organisation.
Did I have any doubts about the certification before starting?
A lot! To be honest I was quite a sceptic at the beginning. I imagined that all this paperwork wouldn’t bring any benefits other than good marketing. I was wrong. ISO 27001 standard helps to shape processes in the company in a well-structured and secure way.
It’s not commonly discussed, but consistency is a precious benefit of having ISO 27001 implemented in the organisation. These standards prompt us to build a coherent system for securing information. The system is a keyword in this context. I mean that all processes need to be integrated and work well in every single department. In such a shape, it’s much easier to avoid gaps or edge cases that could create risk. While you are making preparations for audits, you also improve organisation in the whole company.
We learned a lot during these months of preparations. However, the most crucial knowledge was about ourselves. We found some operational weaknesses, which needed to be addressed before the external audit. We were screening every single department and looking for fragility. As a result of these internal audits, we planned activities to improve the level of security at LEOCODE.
We were preparing LEOCODE for an external audit for several months and we found out that there are some milestones that have to be done before inviting auditors:
- choose the certifying body,
- set up an internal team that would take care of ISO 27001 implementation and will be informing the board about the progress,
- plan and conduct internal audits for every department. Prepare reports which are describing potential non-compliances, among other things.
- take care of found issues: measure the risks, plan how to manage them, and keep resolving tasks one by one.
- keep informing the whole organisation about changes you implement. Remember – your system doesn’t change anything if you do not inculcate it with your employees.
- Invite auditors when you are ready. Ready means you know the system and it actually works. Auditors are going to ask for proof that your whole organisation acts like it was planned in system documents. If you have considered carefully the suggestions contained in the ISO 27001 standard while creating your Information Security Management System, don’t worry. After a dozen hours of interviews with auditors you can enjoy the meritorious certificate.
Is this the end of the story?
Nothing further from the truth. Implementing ISO 27001 is a continuous process of adapting the organisation to security standards. The business environment is changing, so you need to be ready for new security threats. However, by using the standards offered by ISO 27001, you can feel confident and secure in your pursuit of excellence.