Importance of ISO 27001 Compliance
ISO 27001 is an international standard, a document created by the International Standards Organisation, which sets out best practices for creating an information security management system (ISMS). Compliance with ISO 27001 can provide your organisation with a framework to help reduce the risks to your information security such as data breaches, malicious attacks and leaks. Achieving certification to the standard signals that your company is running an effective ISMS and may be looked upon favourably by new and potential customers and partners, as well as reducing the risk of costly security incidents.
Any organisation that handles sensitive information, regardless of size or sector, should consider implementing ISO 27001, but it’s important to keep in mind some of the common pitfalls when starting your compliance journey. Written by our Quality Specialist, Dan York, this blog is designed to help organisations avoid the common mistakes of implementing ISO 27001 within their organisation.
Common mistakes in ISO 27001 Compliance.
1. Not getting company-wide engagement
Starting to use a management system often introduces some changes to the way your organisation operates on a daily basis. New procedures and additional controls, despite how beneficial they are, can be met with resistance from team members and can slow down your implementation.
Getting full buy-in starting from top management and across the organisation is not only a requirement within ISO 27001 itself but is also the best way to encourage all of your staff to commit to the process. This can be achieved with strong communication and effective training for people, but also by ensuring you have given enough resources to your technical (e.g. IT) experts and the people running your ISMS so that they can use their time well, training others and continuing to promote awareness and engagement.
2. Not choosing the right certification body
There are many organisations which can offer certification services to ISO 27001 and choosing the correct one is vital. Many factors can impact this decision, such as cost and availability, but the most important is picking one which is appropriately accredited. Choosing a certification body without the appropriate accreditation (such as by UKAS, in the UK) can lead to your certification being disregarded by potential customers and partners and could be a waste of your efforts getting to that point.
Needing to use an accredited certification body doesn’t mean you still don’t have several options about who you enlist, but it’s important to spend time reviewing all the options early on in the process and forge a good relationship with the organisation of your choosing. Read more about ISO Standard Certification here.
3. Poorly defined roles and responsibilities
Compliance with ISO 27001 requires that some tasks and processes get done routinely, which may be new to your organisation. This is both for implementation and on-going management of the ISMS. When roles and responsibilities are not clearly defined and agreed upon, this can lead to disagreements and slow progress with compliance projects.
As part of your ISMS, it can be a good idea to create a RASCI (Responsible, Accountable, Supportive, Consulted, and Informed) matrix which lists all of the relevant processes and roles and clearly document who is responsible for each. This can help with resource allocation for projects, and it should smooth out your implementation of an ISMS. Reviewing the RASCI periodically is also helpful, this can prevent issues arising when procedures get updated.
4. Not considering people as Assets and as Risks
Information security doesn’t just include your documents, code, IP, etc, but also your people. ISO 27001 covers the need to appropriately manage all kinds of information assets, and your team is a key part of this. People hold important information which needs to be protected, but they are also a vector for risk. If you fail to have procedures which handle effective transfer of information from a member of staff who is leaving, or do not have good documentation practises, then it can be very costly to your information security. When considering practical security steps as part of your risk assessments, it can be easy to overlook the human factor in protecting the confidentiality, integrity and availability of your information. Not having consistent and sensible access controls or teleworking policies (if relevant) could leave a hole in your compliance.
These issues can be avoided by taking a holistic approach to information security. When considering risk to data, don’t forget to think about your staff, both as information assets and as risk vectors. A good off-boarding HR policy to ensure the transfer of necessary information, along with effective record-keeping, goes a long way to mitigate this risk. Likewise, making sure you have access controls for your staff and any visitors or contractors.
5. Documentation issues
Poorly written documentation, be it your policies, procedures, or records, are a common way that implementation and management of an ISO 27001 ISMS can be harder work than it needs to be. If there are poorly written procedures which are hard to follow or not very relevant then they will not be followed easily, which is a compliance risk and makes it difficult to ensure your system is working effectively. Poor control of changes can be a problem for some organisations too, if documents aren’t reviewed periodically and kept up to date, then their value significantly reduces.
This can be overcome with a well-written document control procedure. A good document management system should include a way to review and approve documents by relevant stakeholders, a way to keep documents protected from tampering and a mechanism to review important documents periodically. With that in place and trained on by your organisation, every other aspect of compliance to ISO 27001 will be much easier.
6. Not integrating with other management systems
If your organisation already has an implemented management system (e.g. ISO 9001 – Quality Management, ISO 13484 – Medical Devices, ISO 42001 – AI Systems, etc) then the requirements of ISO 27001 can seem like they don’t relate to what you currently have in place. This can lead to duplicated procedures, approval systems and records, especially in areas such as supplier approvals and internal audits, which may become a burden on your staff and create frustration and poor compliance.
Most common ISO standards are written with a consistent structure and approach. This allows you, with some planning, to effectively integrate multiple standards into the same management system, reducing the overhead for staff and the need for duplication of effort.
Summary
Navigating ISO 27001 can be complex, but by applying the learning from this blog and also from our other blogs on ISO 27001, you can prepare your organisation and stakeholders for compliance success.
If you need help on your journey to ISO 27001 compliance, let 8fold’s experts guide you.
Need Help Implementing ISO 27001 ?
To discuss your ISMS implementation Book a Discovery Call.