Information security has become a growing challenge for businesses of all sizes and sectors. That helps to explain why the International Organization for Standards (ISO) created the ISO 27001 family. Those standards are designed to help organisations manage the security of their assets including financial information and employee details via the creation of an information security management system (ISMS), or a system-wide approach by which companies leverage people, processes, and technology to manage risk.
ISO 27001 certification is optional, but it does help companies reassure their customers they are following key information security recommendations when it comes to handling their data. Organisations might also decide to achieve ISO 27001 certification for the benefits that come with adhering to security best practices.
That latter motivation is especially resonant with Metacompliance, a provider of Cyber Security and Compliance Awareness software which achieved its ISO 27001 certification in March 2016.
Robert O'Brien, CEO of Metacompliance, expands upon the benefits of certification:
"The ISO 27001 provides not only a starting point but also a framework that is purpose-built for teasing out the key risks to information assets. It makes an organisation think about risk in the correct way; it focuses thinking and encourages action around remediation."
On an individual level, the Information Asset Owners have a major part to play in getting the proper action programs in place to mitigate risks, as they are the employees who are most affected by ISO 27001. Even so, certification requires that all employees gradually learn how the ISMS plays an active part in their day-to-day jobs.
O'Brien explains it's a project that proceeds in phases and increases in both intensity and granularity over time:
"Employees can only digest so much of the ISMS at one time. Once certification is achieved and the cornerstones of the ISMS are in place, the real job of improving maturity begins. It's a bit like how someone begins learning to really drive after they pass their driving test."
Metacompliance started on the path towards certification as a result of its desire to "walk the walk as well as talk the talk" in cyber security. The organisation was already familiar with the benefits of implementing the ISO 27001 standards. However, it took leadership from O'Brien and the executive group to launch the certification process in earnest.
That leadership came when O'Brien realised the deficiencies of compliance as opposed to the advantages of security:
"An ISMS is scoped by the organisation. The scope can be very limited; it could be nothing more than a ticking-the-box exercise. However, to avoid the threats that originate from internal and external sources, a whole-hearted approach to cyber security is required. It has to become part of the DNA of the company. It must be spoken by management without dissent or cynicism. That happens only when the CEO and Board of Directors take a zero-tolerance approach to protecting against digital threats."
With an executive team supporting the full benefits of security, Metacompliance decided to embark on the path of certification.
That process wasn't without its challenges. The hardest part came when the organisation needed to identify the key risks facing it and document the controls and remediation measures it used to help address those risks. Metacompliance created an ISO 27001 team and enlisted the help of the Information Asset Owners to accomplish the task. Those individuals undertook the effort in addition to fulfilling the duties of their daily jobs.
The organisation took great care in selecting who would contribute to this necessary step of the ISO 27001 certification process. O'Brien elaborates:
"We chose key staff who already were doing big jobs, and we asked them to step it up. It was a reflection of their commitment that they ground out the additional work and prioritised this challenge in order to meet our deadlines. They completely bought in to the need for an ISMS, so overcoming the challenge was simple. If there had not been complete buy-in among those key members, the project would have slowed and we would have wasted a lot of time."
To ensure everyone was on board, O'Brien said it took executive leadership to make sure the project was not knocked off course by distractions.
He notes the organisation also used its own policy management software suite to augment internal buy-in for and educate employees on the ISMS:
"The ISO 27001 framework like all compliance projects are built upon the internal laws of the company. These are encapsulated in the policies of the company. Once we had worked through the policies that governed how we would manage our ISMS, we used our own software to communicate policies to staff and to obtain their attestation. We also used our Aware Centric library of eLearning titles to train our users on the key cyber security elements ranging from passwords to physical security."
Learn more about the policy management products Metacompliance used to finalise its ISMS and complete its ISO 27001 certification.
You can also read more about certification to ISO’s management system standards here.