In the early days of a company, it is usually sufficient to have efficient and effective processes. However, as that company grows simply having them isn’t enough. It becomes necessary to have objective and indisputable proof that those processes exist and are known and accessible to all staff. About 12 months ago at Wirehive, we reached this stage so decided to commit to a fix that not only meant we documented how things were but pushed us to ensure we were following the very best practice.
The led us to pursue ISO 27001 certification and on 14 July 2018 we received our first ever ISO 27001 certificate, awarded by BSI.
ISO 27001 is an international information security standard which demonstrates that an organisation meets a minimum set of security requirements.
BSI, or the British Standards Institute, is an internationally recognised certification body who have been accredited by UKAS (the United Kingdom Accreditation Service) and who have certified organisations such as Microsoft, Deloitte and Airbus.
What this all means is that we have:
demonstrated a commitment to security from the CEO down to every single employee.
adopted a risk-based approach to making security decisions.
robust processes and procedures for managing security.
regularly train our staff to ensure they have a good level of security competence.
Our Security Measures document provides more information about how we achieve this.
A Dedicated Role
When I joined Wirehive in October last year, my initial objective from the Board of Directors was to achieve ISO 27001 certification. I was given a timeline of 6 months and given full latitude to work out how best to achieve this. The only real constraint aside from simply throwing money at the problem was that the company did not want to become bogged down in needless bureaucratic red tape. Therefore, any changes to processes and procedures needed to ensure we retained our agility, and ability to quickly adapt and change with the market, and our customers’ needs.
I love a challenge and as a department of one, challenging this was.
Not only did I need to learn the company and what everybody did, but I also had to figure out what was already being done to keep our internal infrastructure and customer systems secure. I had to prioritise, and then manage the various elements of change that were needed to improve our security posture, devise and deliver training courses and make sure everything was documented correctly.
Receiving news on 12th April that we had passed our certification audit and were being recommended for award of ISO 27001 certification was therefore met with much celebration and popping of champagne corks. I should probably apologise to our wonderful cleaning staff for leaving a mess of party cannon debris all over the office.
Being a fast growing start up, it would have been easy to become complacent about the amount of work needed to achieve certification. The challenges were necessarily different from those that would be faced by a large multinational organisation.
There is a wealth of information available explaining what needs to be done to gain ISO 27001 certification, there is less information regarding the challenges although there is still plenty. However, there is very little information explaining the challenges that smaller businesses are likely to come up against. I’d like to spend the remainder of this article exploring some of the challenges we faced and how we overcame them.
Perhaps the biggest challenge I faced was getting enough time from other staff members for security related activities which had to be fitted in around their day to day activity and own departmental goals.
In a fast growth tech business, everybody wears multiple hats and is constantly on the go, therefore trying to tie people down for additional meetings, discussions or training can be really tricky. It was even harder when I needed to schedule time with multiple people simultaneously. Whilst this phenomenon is not restricted to start ups, I think it is much more pronounced than in a large organisation where people tend to have much more specialised and boxed-in roles. Therefore it’s something that needs to be given careful consideration when planning how long it will take to achieve ISO 27001 certification.
Planning is essential for success - Plan far ahead.
Creating an implementation plan, including a timeline, was one of the most helpful tools I had at my disposal. It meant I could schedule meetings way in advance, long before people’s calendars started filling up, or with sufficient time for them to reschedule prior appointments.
Keeping meetings short and relevant helps here too – no more than 30 minutes at a time if it can be helped or eyes will glaze over.
As we used to say in the military, no plan survives first contact with the enemy. Whilst neither my colleagues nor our customers are the enemy, the saying remains true. Having a robust plan helps mitigate against last minute customer appointments or staff unavailability. It’s your baseline for assessing progress and a yardstick for measuring deviation, which is invaluable for reprioritising and getting back on track when things inevitably go awry.
New Business Processes and Skills Shortages
Many of the requirements of ISO 27001 are designed to fit into existing business processes. For example, making sure that security training is conducted as part of employee onboarding. However, as a business that has grown rapidly, many of our processes and procedures were not as far developed as the standard expects. In some cases, there wasn’t direct experience within the business about how some of these could be implemented. I’ll pick on security within supplier relationship management as an example.
Before we started our journey to ISO 27001 certification, our contracts with about 300 suppliers were split across various shared drives and personal devices. Formal reviews of supplier performance were almost non-existent and whilst considered individually, security concerns were not addressed in a repeatable and systematic way.
In contrast, we now have all our supplier records in one place, categorised according to their importance to the business. Each supplier has been assigned a relationship owner within the business. The owner is responsible for establishing performance criteria and for reviewing the supplier’s performance against these on a regular basis. Risks to the business, including security risks, are incorporated in this process.
We also developed a set of in-house guidelines which include typical performance criteria and risks for the various categories of supplier to help ease the cognitive workload when onboarding new suppliers and enrolling existing suppliers into the new system. Not only will this help us to manage the security aspects of these relationships but over time will also enable us to consolidate suppliers, drive efficiencies and invest in those who are most valuable to our business.
Finding staff within the business who have existing knowledge and skillsets to be able to implement new processes can be challenging. Making time available to research the myriad of different approaches to implementing a new process can be hard, especially when that time is competing with pressing and immediately tangible business needs.
Convincing the Board that some of the activities ISO 27001 can be a challenge and may take several attempts, especially if you are just getting to grips with them yourself. However, perseverance and finding a way to tie security requirements into one or more wider business activities will make arguments much more persuasive.
ISO 27001 certification can be a fantastic investment. It demonstrates a level of competence and commitment towards information security but more importantly, if approached in the right way, it helps drive genuine business improvement and scope for growth. For a small business especially, the challenges involved in gaining certification can at times seem overwhelming. However, there is room for manoeuvre within the requirements of the standard and with a little bit of flexibility and a lot of imagination, it is well within the grasp of any business.
Having lived and breathed ISO 27001 implementation within a growth focused tech start-up for the best part of six months, I would leave you with the following three bits of advice if you are considering this certification for your organisation:
Allow more time that you think is necessary.
Communicate – little and often.
Don’t be afraid to get something wrong and try again.
If you would like any help reviewing your business’s information security, be that for due diligence or with a view to becoming ISO27001 certified yourselves we offer Security and Compliance consultancy as part of our cloud consulting portfolio.