A Step-by-Step Guide to Creating an ISO 27001 Compatible ISMS
Getting ISO 27001 certified isn’t rocket science. Use the tools you already have, apply common sense, and you will be fine in any?audit.
More and more enterprise customers expect their suppliers to be ISO 27001 certified. Therefore, startups and SMEs need to find ways to deal with ISO 27001 in a lean and modern way.
The core of any ISO 27001 certification is the so-called Information Security Management System (ISMS). In analogy to the Quality Management System (QMS) for ISO 9001, no company can get ISO 27001 certified without an ISMS.
Don’t try to google “ISMS” and hope for a lean and pragmatic solution. There are tons of consultants and tool providers out there who are eager to sell their services and solutions, respectively. Such offerings are geared towards larger organizations; they will overwhelm your startup or SME both in terms of effort and costs.
Instead, I am urging you to use a very simple method to set up your ISMS: common sense. Read the norm, think about what steps are required to become compliant, and implement the steps accordingly. Sounds over-simplified, huh? Read on for a real-life step-by-step experience from a 30-person B2B SaaS company.
Step 1: Read the ISO 27001?Norm
Reading norms is not fun, I agree. However, the ISO 27001:2013 norm features a certain Annex A with reference controls for all aspects covered by the norm. So in this part of the norm, you’ll find very tangible requirements you need to fulfill before the auditor arrives.
Annex A will be your blueprint for all the next steps.
Step 2: Define the Scope of Applicability
Defining the scope of applicability of your ISMS is the next thing you should do. Now you know from Annex A what requirements you need to fulfill, so you can define which requirements apply to which parts of your organization.
It doesn’t always make sense to apply all requirements from Annex A: For example, if your business doesn’t develop software, you can skip some or all of the requirements in A.14. If your business does develop software, you need to take an extra-careful look at the requirements in A.14.
Likewise, under certain circumstances, it might not make sense to certify your entire organization under ISO 27001. For example, you can limit the validity of the ISO 27001 certification to a certain location, or certain departments. I honestly can’t think why this would be useful in a startup or an SME, but it is a possibility as offered by the norm.
Step 3: Create JIRA Board with Non-Compliances
Now that you know the requirements of the ISO 27001 norm, and you have defined the scope of applicability for your business, it’s time to start closing the non-compliances. Don’t start writing your ISMS yet?—?you’ll do the work twice if you do!
We have a culture of pragmatic tool usage, and for many task-related things, we use JIRA. In this way, we created a JIRA board showing all the non-compliances we needed to close before the ISO 27001 initial certification:
Some example tickets are shown in the above screenshot; of course, the actual to-do’s are highly dependent on the nature and the state of your business.
Step 4: Implement Non-Compliances Using Common?Sense
As can be seen from the above screenshot, most of the non-compliances are set to “done” now —of course, the initial certification audit is over now! Nevertheless, there are still a few open tasks that stem from minor non-conformities found during the certification audit.
I would like to take the fear away from minor non-conformities. It is perfectly fine to have some minor non-conformities during the certification audit, and you’ll get a full year to close them. As a startup or SME, you will need to set priorities, and nobody needs to be ashamed to have minor non-conformities during the certification audit.
We closed our non-compliances using the IT tools we already used. Here is an excerpt of our tool landscape:
See, it’s not rocket science. Common sense will lead you towards the goal within a short period, and without exorbitant costs.
Here are some examples of how we implemented certain aspects for both the ISO 9001 and ISO 27001 certification using JIRA:
Step 5: Choose your ISMS?Tool
We’re getting closer to the ISMS now. You could start typing away in Word or Confluence straight away, but please hold on for a second.
First of all, you want to be sure that only authorized persons in your organization can change or update your ISMS. So, therefore, having a tool for controlling the ISMS documents through a workflow should be considered.
Second, fast forward to your ISO 27001 maintenance audits even before your certification audit. From my personal experience, the auditor will ask questions such as: “What has changed in your ISMS since the last audit?” So, therefore, having a tool to manage revisions and changes on a block level within a document should be considered.
Third, from using existing IT tools as described above in step 4, you will need an ISMS documentation tool that allows efficient linking. Furthermore, Annex A of the ISO 27001:2013 norm has some overlapping chapters, so you want to make sure you can link and reuse content. In this way, you can save lots of time and effort.
Generally, I would advocate using a more modular documentation format than documents and Excel lists. Here are my thoughts on this?—?it applies to both ISO 9001 and ISO 27001 certifications:
Step 6: Write your?ISMS
Now to the core of things. Finally, finally, we can write up our ISMS and get ready for the certification audit.
We have organized our ISMS into two main chapters:
Our documentation tool allows fully clickable documents, as well as efficient revision management on a block level:
In the following paragraphs, you will find a quick overview of the core aspects of our ISMS.
A.5 Information Security?Policies
This section contains generic security policies?—?acceptable use, clear desk/screen policy, and account security.
领英推荐
A.6 Organization of Information Security
This section contains organizational issues?—?how do we assure information security in customer projects, what requirements employees need to meet to work remotely, etc.
A.7 Human Resource?Security
Since we have customers in the aviation industry, we have to meet some EU Directive requirements regarding background checks of our employees. This is governed in this section, as well as the disciplinary process in case of information security violations by employees.
A.8 Asset Management
Assets are tracked throughout their lifecycle, whereas tracking is done using our asset management tracking based on JIRA. The policies governing our asset management are laid out in this section of the ISMS.
Furthermore, information classification and handling of removable media are governed in this section.
A.9 Access?Control
This is a key section of our ISMS, outlining the principles, tools, and processes to grant, manage, review, and remove access to all our IT systems. A core access control element is our SSO infrastructure, which is built based on the Google Identity Platform.
A.10 Cryptography
This section outlines the use of cryptographic protocols in our software designs, as well as the management of all cryptographic keys in use in our company.
A.11 Physical and Environmental Safety
This section covers everything from office key controls, locking up confidential physical documents, to disposing of classified information (both electronic and physical). While often laughed at, please always remember that the weakest link in information security is the people?—?and if you have classified information laying around in the office, you can suffer an information security breach without any hacking!
A.12 Operations Security
This is another key section of our ISMS, describing the policies and procedures for backup, logging, and monitoring. Don’t just think of your application and database server backups, but also of your cloud tools! It doesn’t harm to do a regular backup of Google Drive, JIRA, Confluence, and whatever other cloud tools you use in your organization.
A.13 Communications Security
This section describes network security and network segregation for both data centers and office networks.
A.14 System Acquisition, Development, and Maintenance
This section describes the core policies for secure software development and secure system engineering. These policies are the basis for the more detailed chapter “Information Security Principles” as outlined above.
A.15 Supplier Relationships
This section governs how suppliers are chosen, managed, and replaced if needed. Many auditors request that you audit your suppliers. As a startup or SME, you have to accept the fact that you are the “small fish” and that you have limited control over your suppliers. Imagine Jeff Bezos’ look on his face if I would write to him that I wanted to inspect “my” AWS data center… However, most large suppliers provide their ISO certificates and SOC 3 reports readily. From my experience, this is usually all that’s needed. And as long as you don’t let yourself become too dependent on a single supplier, you can still switch to a competitor if you’re unhappy with the service.
A.16 Information Security Incident Management
Let’s face it, it is a matter of time until you will have an information security incident?—?if you didn’t have one already, but didn’t notice.
Incident management helps you deal with information security incidents, and this section outlines the tools and processes that apply during incident management.
A.17 Information Security Aspects of Business Continuity Management
Just because information security incidents will happen, it is wise to prepare for business continuity. This section covers the policies and processes for redundancy, backup, and restore.
A.18 Compliance
Last but not least, this section covers legal aspects such as intellectual property rights, information security clauses in customer contracts, etc.
Just like supplier relationships, this is a section where startups and SMEs can and should stick with the basics?—?take the topic seriously, but don’t hire a lawyer to deal with these aspects in too much detail.
Step 7: Get Certified
And that’s it. If you have reached this stage, call your auditor for the stage 1 audit. During the stage 1 audit, your readiness for the stage 2 audit (certification audit) will be assessed?—?so therefore, it is like a dress rehearsal for the big day.
In the certification audit, be prepared to be tested thoroughly on every single control according to Annex A, and be prepared to show not just policies and procedures, but also the actual implementation and tools behind the policies and procedures.
Remember that minor non-conformities are normal during a certification audit, and make sure you address them within due time after the certification audit.
Step 8:?Improve
After the audit is before the audit. To keep your ISO 27001 certification, you will have to undergo regular maintenance audits. This is where you can prove that you closed your minor non-conformities from previous audits, and shine with improvements you made to your ISMS based on business needs.
Again, we use JIRA to track non-conformities and findings from internal audits, customer audits, and ISO 27001 audits, and close as many of them before the next maintenance audit:
And that’s it. I promised it’s not rocket science. Use the tools you already have, apply common sense, and you will be fine in any audit.
Growing a company ?? in troubled times ???? is a marathon.
As a tech entrepreneur ??, active reserve officer ??, and father of three ??????, I can help you with ?? practical entrepreneurship and resilience advice for all aspects of life. To the point ??, no fluff, because entrepreneurs are busy.
When I’m not busy, I get my rest and inspiration in the beautiful mountains ??? around Zermatt ????.