Top 10 lessons from ISO 27001 Certification journey

The ISO 27001 standard is a well-known framework to implement industry best practices in areas related to security. It is a tall order even for an established, process-driven organization to commit to create, monitor and manage controls and collecting evidence year-around to ensure that the standing is maintained. Over the past few months, I had the fortune of leading the effort of getting the startup numberz, a fintech innovator certified. Oh Boy, it was a journey for sure — to pull along a young crowd that wants to measure and see every action with a tangible and immediate outcome, to undertake such commitment in itself was a task, but hey — the team did it.

But is ISO 27001 certification worth the trouble? Does it make a difference?

Absolutely YES — It comes in two folds.

Internally for the organization, it streamlined the process of everything (literally everything that represents and operates the entity). But it comes with a cost — the cost of transformation and commitment to follow through set policies and procedures. It brings in the perspective of security on everything that happens within an organization. It engages all functions of the organization from Sales, HR, legal to the core Product Development, and take stock of the ‘what if’ on various nebulous security scenarios. Once the exercise is completed, one can see the gaping holes that just got plugged which otherwise could have compromised security across the spectrum — Data, Information, Equipment(s), People, and Processes all the way to the priceless creation ‘the Product’. It is never about how sensitive information is stored, recovered and operated — much beyond that, covering aspects of what, who, how and when on everything and everyone that touches the sensitive assets of the organization.

Outwardly, even for an established organization a certification issued by an accredited body creates an opportunity with a compelling story and a seat at the table than any loud and limitless claims one can make by themselves. It is a great sales-enabler, expediter and helps cross a major hurdle in the early cycles of sales and partnership engagements with ease when dealing with sensitive and security-conscious Customers and Partners.

It was quite a journey over the past few months — collectively learned a lot and our perspective on Information Security truly expanded with a new-found respect for standards and frameworks.

Lesson #1: ISO 27001 adoption is NOT going to turn your organization upside down. The initial fear got dispelled once we realized that ISO 27001 guidelines are a framework and you alone decide what is applicable to you — it is not true that you have to implement changes (policies and procedures) for everything in the specification. It trusts the organization with the responsibility of identifying applicable clauses — and of course, it expects you to review and acknowledge why something is not applicable or why presence or absence of controls or a certain level of risks are acceptable to your organization.

Lesson #2: Establish the context of the organization. It is about understanding the organizational expectations, interested parties, and scope of the Information Security Management system that will be put in place. This will help with a clear understanding of the affected teams/departments, commitments to be made by the management and members of the organization and the boundaries of such an ISM system that will be periodically audited to evolve over the time.

Lesson #3: It all starts with the identification of organizational assets — they are essentially classes of assets ranging from tangible assets like information, paper documents, people, physical, service, and software to non-tangible assets like reputation, company image, etc. It may vary and can be expansive depending on your organization function and business objectives. Once the assets are identified, arrive at a robust formula to compute the risk associated with it based on the perceived threat and vulnerability. For each of the identified risks, you would be able to evaluate the absence of controls or the presence of existing controls and their strengths (preventive, corrective, recovery and awareness). By establishing an acceptable risk severity (i.e., low, medium high, very high), evaluation of the identified risks will shed light on the need for new controls to be implemented and a need for strengthening (additional controls) to keep the risk severity acceptable. Such a risk treatment plan will map each of the identified risks and existing/planned controls to the recommended controls referenced in the ISO framework, thus making your risk management plan ISO compliant.

Lesson #4: Often times, the topic of security steers people in the software world to think about server security, data security, disaster recovery, and other typical aspects. They are perfectly fine, but what one misses out is the policies and procedures that govern the setup, operation, and execution of those techniques and technologies. A fool-proof implementation is only as strong as the governing policies and procedures. The scope of security is an inclusive domain covering people, process and technology as a whole aligned with set security objectives.

Lesson #5: Data alone is not the only asset to be secured. Anything or anyone who touche sensitive assets (including data) directly or indirectly come under the purview of security. The modes and means of controlling access is a matter of technique and implementation. The process around managing the permissions, changes, exceptions (if applicable) to manage the assets is the critical piece of security. Above all, the pieces of equipment (laptop, desktop, server or cloud resources) that are put in place to develop, test, support and host the secured assets also need to be covered under security review. This leads to the formulation of policies and procedures to manage the assets that make up your ISM system.

Lesson #6: Change is the only constant — it can never be more true for a startup and it is part of the DNA making it nimble and adaptable to internal and external demands. Here comes the dampener — every change and its impact on the system need to be evaluated as per the ISM policies and procedures for security risks. Any resulting changes to the policies and procedures need to be captured and respective documents need to be updated with versioning and change tracking. Any exceptions made should be recorded as well for future reference (audit). In essence, changes are fine — but they need to be made responsibly after weighing in impact on overall security. This part requires commitment from the entire team and the team leads to consciously evaluate the change requirements, approve or seek validation from designated security experts within the organization (ISM — Information Security Manager) and maintain evidence of the changes in line with documented policies and procedures.

Lesson #7: Sensitive information handling. Varieties of information and data get generated in a typical day of life in an organization. Some of the information could be sensitive and might pose a security risk if exposed or leaked outside — ranging from simple scribbling on the whiteboards, unattended terminals, unattended printed documents on the printer to information shared with unintended people via email or other means. Education on sensitizing members of the organization on information classification and handling them is paramount, and it comes with the enforcement of certain discipline.

Lesson #8: The great ‘controls’ to monitor the effectiveness of policies and procedures as defined by the ISM system. A periodic review of pieces of evidence collected, documented changes and exceptions will help identify the need for review and upgrade of existing controls. The controls can act as a mitigator (corrective), prevent future issues (preventive), simply for monitoring ongoing activities (awareness) or simply a procedure to recover from situations (recovery). It is a continuous process to monitor, assess and treat risks — forming a cycle of correction and improvement in correspondence with the internal and external changes. The periodicity of the review of evidence and associated controls performance is based on the severity of the risk and sensitivity of the underlying asset and should be set appropriately.

Lesson #9: ‘Document classification and tracking’ — in the busy life of a startup, communication is free-flowing and unconstrained — emails are sent, documents created and shared or published all the time. However, from the legal and security perspective — the creator or sender and recipient need to be educated and informed about the sensitivity of the information. It can range from simple versioning and history tracking on documents, calling out the type of information shared (internal, proprietary, confidential, etc) to a simple disclaimer in the email signature. This will ensure that the sender takes responsibility to validate his/her action before sending/sharing information even if it is for the intended recipients.

Lesson #10: Simply be prepared to go through the grind on the audit on the first anniversary (surveillance audit) where the focus will be on the review of adherence to committed security policies and procedures as documented in the ISM manual. Collected evidence and change tracking are the only tangible outcome of the past adherence — hence be sure to document evidence wherever applicable. ISO mandates continuous monitoring and improvement to the risk management methodology as per the established ISM system. And finally, on the 3rd anniversary — a fresh audit will be due for renewal of certification :)

Bonus: For a software organization Business Continuity is super-critical and is the biggest risk to be managed. It is prominently espoused by ISO framework. Putting together an implementable plan is the first step — however, it is difficult to test the same without affecting parts or whole of the functioning and operation. In reality — it is unfathomable to bring down the production systems just to test out the scenarios. ISO offers a practical workaround called ‘Tabletop Exercise’. Run all the identified risks and scenarios in theory and deduce the outcome as to how it will mitigate and offer continuity — just document the outcome which will serve as evidence as well as reference. This can be a complex exercise, if not for the option of tabletop exercise, it does help you explore all scenarios without affecting any of the real-world operations. Thanks to that!

At the beginning of the ISO Certification process:

Tasks ranging from a simple document classification, asset classification and tracking to time-consuming evidence collection — though simple, we’re afraid of committing to it. The first reaction was ‘will cause delay and affect velocity’ — no surprise there!

At the end of the ISO journey, of course with successful certification — we prevailed.

With a bit of insistence, commitment from management, and continuous education, things turned around. Initial glimmer of hope is now shining bright with the ISO induced changes becoming part of daily routines without any fork or hack!

It is not that bad, not bad at all, eh?