By Louise T. Dunne, managing director, Auriga
Becoming ISO 27001 compliant can really open doors for the SME, reassuring customers, partners and suppliers or the security of your information systems and business practices. While the standard is not (yet) mandatory it is now often sought in procurement processes. It is well respected and adopting the standard can enable the organisation to punch above its weight and compete more effectively, assisting the organisation in its early growth cycle. But it can also be costly, with high consultancy fees and security projects that seemingly stretch on ad infinitum. Many Information Security and Assurance Consultancies have capitalised on demand, offering certification at a high price in projects that can spiral out of control and incur additional costs. Consequently, many decide to defer compliance until they feel they can take the financial hit, little realising that this can result in operational inefficiencies and expose the business to higher risk.
ISO27001 is an international standard which specifies an Information Security Management System (ISMS), a framework of documented policies and procedures which can be implemented to manage risk. A recent update has seen the standard significantly streamlined with some subtle but substantive changes. ISO 27001 includes the need to list all third parties and renewed emphasis on external entities as well as internal channels of communication; the loss of the Plan, Do, Check, Act clauses and requirement for a documented risk assessment methodology; the requirement for a risk assessment with determined risk levels, business impact levels and likelihood of occurrence; and, the assignment of risk management to risk owners within the organisation. These changes have brought the standard closer in line with other management standards and facilitated greater transparency, making it easier to demonstrate compliance to shareholders, partners, clients and ultimately the government. The changes are to be applauded as they address some of the key criticisms levied at the standard – namely the need for graded risk assessment, senior management buy-in and staff education – and in making the standard more relevant they have also made it more desirable.
Delaying commitment to ISO 27001 compliance can have significant repercussions. The organisation will be less aware of its exposure to risk and the risk of a data breach is substantially heightened. Should a breach occur, the negative publicity could threaten the organisation’s reputation and the viability of the business. Plus, if the organisation is found to be negligent by failing to observe the Data Protection Act (DPA), for example, it could face significant fines from the Information Commissioner’s Office (ICO). Implementing ISO 27001 early, on the other hand, while the organisation or service is still in its infancy, can greatly enhance the business by allowing processes and procedures to be put in place that enable grow, the promotion of best practice among staff and the effective allocation of resources, helping to focus IT strategy and spend. Several Plan-Do-Check-Act (PDCA) cycles were incorporated in the previous version and although not specified in the 2013 version the principles are still valuable. Preventative and Corrective actions are heightened in priority in this new version ensuring that information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of corporate strategies, business impacts and eventualities.
Committing to compliance need not be cost-prohibitive. Although perfectly feasible, it can be daunting to undertake such a compliance project alone and this will take many SMEs out of their comfort zone. The alternative is to seek a middle ground approach, which offers all the advantages of a DIY implementation but with the added benefit of expert advice. Advances in the way the standard can be implemented have paved the way for off-the-shelf advisory services, providing the SME with a predetermined costed project that can be supported and independently verified by pragmatic consultants. Before going down this road, however, it is advisable to conduct a Business Process Analysis to pave the way for effective Risk Management. This makes working with the standard much easier and it simply becomes a case of business as usual.
The latest iteration of ISO 27001 is to be welcomed, bringing the standard up to date and making it far more comprehensive without wrapping us in red tape but it’s important to acknowledge and accept that ISO 27001 compliance does not guarantee security. The standard is a good place to start and provides an effective framework, enabling the organisation to assess and evaluate risk more judiciously, but it does not cater for the nuances of the business or the sector. Should you take the leap now and become compliant? Undoubtedly. Crossing the compliance threshold opens doors and demonstrates to your customers, partners and suppliers the value you place on securing your information. But ISO 27001 can only ever be the first step towards developing an understanding of the threats to your business and guarding against them but we all have to start somewhere…