What to expect when you're expecting ISO certification
Table of contents
You may have already read the news about Upscaler achieving our own ISO 27001 certification, but if you haven't you can check out the announcement here.
Before our team gets stuck into working on our next set of goals, we've decided to pause and bring you a little insight on what you can expect when setting out on your own path to certification.
The hard stuff
So you're at the point where you've decided that you want to go down the road of achieving ISO 27001 certification. You've even started dreaming about all the ways in which it will help your business, including;
- Providing an advantage during sales.
- Streamlining the customer due diligence process.
- Bringing you peace of mind about the security of your product.
But you're still hesitant, because it's all a little unclear what challenges you can expect to face on your journey.
Well, it's important to point out that every organisation's challenges will differ in some way. This may be the size of your workforce, or the fact that you operate offices in different countries. There will be some aspect of your implementation that will be specific to your business.
Strangely enough, it's not these challenges that typically pose the greatest problems. Rather, there are some challenges that I would describe as less of a challenge and more just, well, the status quo. The two issues that seem ever-present during implementations are:
- Leadership commitment
You can't typically complete any business project, or even effectively run a business, without those two things. So it seems pretty obvious that you couldn't implement an information security management system without them either. But there's a reason why the standard explicitly includes these requirements.
Whenever I've seen organisations struggle with their implementation it's because someone believes they can do it in isolation without buy-in and support from the rest of the company. Well I'm here to tell you: don't do that to yourself.
If you start down the road with management support and a commitment to provide you with the necessary resources (within reason, of course), there's very little that will be able to stand in the way of certification. At Upscaler, there was never any doubt for us that we had those two areas covered.
With management commitment and resources safely in the bag, the next big thing is time. Time to get familiar with the standard's requirements. Time to train and mentor people who will play a role in your management system. Time to perform your reviews and internal audits and make necessary corrections. Time to tailor and implement your new policies and procedures. Time to start shifting your company culture if information security hasn't been a part of it up to this point. I think you get the picture.
Upscaler is going to really help you in this area as the majority of the baseline policies and procedures, and supporting processes, forms, and registers have all been created for you. I'm going to go ahead and point out that I said "majority" there, so you're probably wondering what exactly I mean by that?
That leaves just the unavoidable learning curves for those with a role in operating your management system, and the time it will take to plan, carry out, and review necessary activities. Sounds manageable though, doesn't it?
With the thought of learning curves firmly in mind I'm going to point out a rather straightforward way of reducing them.
Get the person who is best suited for a task to do that task.
Getting someone to do something simply because they have the availability is not likely to save you any time. More often than not it will take them longer to complete the task, and they're probably going to get it wrong more often, too.
What I mean here is, just because you have an acceptance tester with a little free time in their schedule doesn't mean it's a good idea to get them to plan and write your business continuity plan. But maybe they could be trained to perform internal audits which will fit their skill set a little better.
Having people operating your management system who are competent to do so is a requirement of the standard. It is there to save you a lot of time and effort as well as to give you assurance that things are being done properly.
Now, there's absolutely no requirement for everyone operating your management system to be a security professional. You don't need to go looking for people with CISMs or CISSPs. The requirements of the standard are specifically designed to be applicable to any organisation, and that would hardly be true if you were forced to hire a team of security experts you can't afford just to implement them.
If you do happen to have a security professional on your team already, then leverage their ability to mentor others as much as possible like we did here at Upscaler. If you don't, you can use Upscaler's guidance documentation to help you better understand the standard's requirements and steer you around the various elements of the management system.
Competence is thankfully something that you can develop and improve, and part of this will come naturally as you begin to implement and operate your management system. The best thing you can do is identify people who have a skill set suited to a task, and channel some of your resources into training. This will give them the time they need to develop their understanding of the standard and the tasks they're performing.
Take comfort in the fact that even a security professional who is familiar with security concepts and best practice is not going to necessarily know all about the requirements of ISO 27001 if they've never implemented it before. You're all in it together, including Upscaler!
Once you feel that your organisation has done enough preparation and is finally ready for that big test, you can proceed to your audit. The thing you should know about the audit process is that there are two stages to it: Stage 1 and Stage 2.
Your certification body of choice will determine how many days will need to be allocated to each stage. This will typically be influenced by the size of your organisation, and how disperse it is, i.e. if you have multiple sites that will need auditing.
Less days will be allocated to your Stage 1 audit than Stage 2 as it will be less in-depth, focusing on your documented policies and procedures. Stage 2 will dig into the implementation of your security controls and evidence that your procedures are being carried out as planned.
The maximum amount of time you can typically have between Stage 1 and Stage 2 is six months. It's a good idea not to push for Stage 2 to occur too soon after Stage 1 unless you are feeling really confident that you're fulfilling all of the requirements of the standard.
The benefit of properly utilising the time between stages is that you can thoroughly address those inevitable findings raised by your auditor during Stage 1. You'll also want to have enough evidence of your controls in operation - which is something that simply requires time.
The more security reviews and audits and risk treatments and change requests that you can perform, the more evidence you will have to really wow your auditor when they go for that deep dive in Stage 2.
The finish line
Well, no. To be clear, certification is not the finish line or even the end of the road. It's a goal that you will work towards, but once achieved you also have to maintain it. Your organisation is going to change and grow over time. How will you continue to effectively manage your risks and meet the expectations of your stakeholders if you don't keep operating your management system?
Once you've successfully worked through your Stage 1 and Stage 2 audits and are recommended for certification, you will receive that certification for a three year period. During that period, surveillance audits will be performed by your chosen certification body approximately every six months to monitor the continued effectiveness of your system. At the end of the three years you will have to re-certify if you want to be awarded with certification once again.
So you see, this is a long term commitment and you should be aware of that before starting out on your journey. But you should also be aware that it is an extremely rewarding commitment. Just think about all those things you were dreaming about earlier on such as streamlined due diligence, product security, business growth and value, and a good reputation, to name just a few. Many benefits await your organisation on this road, and that's the most important thing you can expect.
If you have any questions or would like to learn more about Upscaler don't hesitate to contact our team. We love to talk with SaaS companies and help them on their journey in any way that we can.