You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Odd question of the day - has anyone been through ISO27001?
What did it take to get the accreditation and what does it take to keep it?
thanks!
Yes I did it years ago. My experience is that it was a massive box ticking/form filling exercise and a lovely day out for the inspector who basically filled in a questionnaire and asked the odd irrelevant question. It is straightforward, yet tedious to acquire and easy to keep as long as you stick to your procedure through documentation..nobody will ever know unless something horrible happens and you've not documented following process X. People seem to think it tells you how to do things, it doesn't, it ensures you write and follow your own procedures.
My jaded view is that it is a pointless exercise in bureaucracy and we binned off all clients who wanted it as they didn't seem to want the cost adding to their bills. But if your bosses insist then get writing procedures and buy donuts for your inspector and you'll be fine. Others will entirely disagree.
We've helped a few clients though ISO27001 and more though Cyber Essentials Plus, we facilitate the changes on their behalf from direction from the auditors.
It's really hard to ball-park, and whilst I think re-certification for ISO is 3 years, it's a constant process of audits to maintain it.
It's neither cheap, nor easy, or quick.
Agree it's mostly about having a set of policies and procedures, we're a big company so the annual exercise is a fairly big deal with things like interviews with employees to make sure they're aware of where to find the documents etc. I just always make sure I'm not in the office when the auditors are in. We actually do an internal audit first (with trained accreditors) - I think mostly as it's a requirement for many contracts, especially government, so losing it would have some serious implications (but as above I think the annual renewals are pretty trivial as you already have everything documented).
We've not done 27001 but have seriously considered it. I think the level of effort will depend on a few things:
1. If you already have some sort of ISO quality management system in place - 9001, 14001, 13485, 17025 etc. If you do its an extension of that and the basis process of adding a QMS isn't going to be too hard. If you don't that could be quite a slog and a pain in the ass... If you officially have a QMS - is it actually used properly or are they some folders that sit on the shelf and only get dusted off for an audit, or seen as the "quality department's problem". We are definitely not in that camp, and even then QA were not that enthused about adding to their burden with 27001.
2. Do you have good fundamental security processes in place. If you've got Cyber Security Essentials Plus - and were going through that saying "yeah of course" you'll find the actual requirements for 27001 straight forward. If you went through that making excuses why your business doesn't need that bit, or it was overkill 27001 will be worse. If you've not got CSE+ yet - I'd do that as a stepping stone. We bailed out after that as it seemed to satisfy our customers that it wasn't just our word for it that we had processes in place.
Keeping it is a case of actually following all the processes you've put in place. So that will be having records to show you do things like destroy old hard disks, quickly update access control when someone leaves, new machines have had the same policies (USB access etc) applied as the old ones, you are training new staff on the procedures, you are following up on non-conformances etc. External auditors tell me that the biggest issue they see across all ISO standards is lack of "top management buy in". So senior leadership say - get the certificate, but don't then get involved in the reviews, effectiveness actions etc. Thats how the system becomes the folders on the shelf as a tick box rather than how you run your business.
Thanks everyone - really helpful. We have CSE already. I've just been asked about 27001 so we can bid for work with a new potential client.
I'm trying to work out whether the effort and cost involved is worth it for the rewards if we win this client (and others like them).
At the moment I'm working on the basis that the accreditation might take the equivalent of a couple of people full-time for a year (for a 1,000-employee business working with a lot of protected category data) and then the audits are probably the equivalent of 1FTE.
Does that sound about right?
Thanks everyone – really helpful. We have CSE already. I’ve just been asked about 27001 so we can bid for work with a new potential client.
I’m trying to work out whether the effort and cost involved is worth it for the rewards if we win this client (and others like them).
At the moment I’m working on the basis that the accreditation might take the equivalent of a couple of people full-time for a year (for a 1,000-employee business working with a lot of protected category data) and then the audits are probably the equivalent of 1FTE.
Does that sound about right?
Probably the right sort of ball park. With 1000 ee's and lots of sensitive data you should already be doing most stuff anyway. We reckoned we could do it with someone who had done it before with 1 person FT in 6 months, but we were smaller than you (although that may not matter depending how you define the scope etc. I doubt audits would be a FTE just for 27001, but following up on the non-conformances, reporting metrics, and all the other guff you inevitably have to do will turn it into pretty much a full time effort.
The biggest issues will be when someone in your organisation reads a clause in the standard and either says:
1. "That's easy we already do that", and the external assessor doesn't agree you've covered it fully - so you have to go back through fixing the gap and reassessment OR
2. "I don't know what that means" and they head off to the internet (perhaps to a bike forum!) and seek advice, and suddenly you are rewriting the authentication protocols your whole system uses, when you could just have had an extra policy or firewall filter that ticked the box!
Remember that you can define the scope as broad or as narrow as you like/need and also the statement of applicability is the crux of it.
Scope is King. It's a useful measurement of a security management system, sometimes certification of useful, but try to think of it as an ongoing system, not a once a year audit activity.