We have been receiving a lot of questions from startups like ourselves, who want to know more about our experience of obtaining this certificate. This blog is intended to provide you with a step-by-step insight into our certification journey. The aim is to help those that might be considering going for the ISO/IEC 27001 certification.
What is the ISO/IEC 27001 standard and why we decided to get certified?
ISO/IEC 27001 is an information security standard designed and regulated by the International Organization for Standardization (ISO). It is a very broad framework, which does not restrict itself to any particular type of data or business function. It covers everything from physical access security to HR information security readiness to how client data is protected.
Being a company that deals with sensitive data, we knew that customers would always want to know how seriously we took our information security practices. After doing a bit of research, we found that being ISO/ IEC 27001 certified will fulfill the purpose of showing our clients that we are an organization that has invested a considerable amount of time, effort, and resources in information security.
Compliance Vs Certification
Compliance with ISO/IEC 27001 implies that an organization claims to meet the requirements of the standard without actually being audited by an independent auditor. On the other hand, being ISO/IEC 27001 certified means that an independent auditor has verified that the organization complies with the requirements of the ISO standard.
Given the nature of the difference between being Compliant and being Certified, it was not a very hard decision for us to want to be ISO/ IEC 27001 Certified rather than just being Compliant.
What is a certifying body and how we chose one?
It is a common perception that the International Organization for Standardization (ISO) is a body that does the certification for ISO standards like ISO/IEC 27001. Certification is actually provided by independent auditors called Certification Bodies. Some of the more well-known Certification bodies include the British Standards Institution (BSI), TUV, etc.
Certification bodies can choose to be audited themselves to check whether they are compliant with the best-practice audit requirements. This kind of audit is performed by Accreditation Bodies. Most countries will have multiple Certification Bodies, but will usually have only one Accreditation Body.
A lot of Certification bodies provide ISO certification without doing much of an audit and thus, don’t have a very good reputation. We felt that it is important to choose a certification body that is not just accredited but is also internationally recognized with a very good reputation. As a company, we have customers spread throughout the world who value high standards of Information Security. Thus, we finally decided to go with the British Standards Institution (BSI) as our Certification Body. BSI is known to be very stringent when it comes to audits and this would imply that we would need to spend more time preparing for the same. But that was a trade-off that we were comfortable with.
We have customers spread throughout the world who value high standards of Information Security. Thus we finally decided to go with the British Standards Institution (BSI) as our Certification Body. BSI is known to be very stringent when it comes to audits and this would imply that we would need to spend more time on the same. But that was a trade-off that we were comfortable with.
Hiring a consultant versus doing things in-house
During our research process, we realized that the certification requires us to prepare policies, procedures as well as evidence to show that we have implemented these policies and procedures for close to 114 controls. This could be a daunting and prolonged task without the aid of a consultant who knows the nuances of the process.
Consultants usually come with thorough knowledge of the standard and know where the organization needs to lay emphasis in order to get certified within a reasonable time period. They also provide templates for the policies and procedures. You can work and modify these templates to suit your needs instead of preparing them from scratch.
Choosing the right consultant
Consultants are everywhere, but you should always choose the one that suits your business and knows where you come from. Here are a few factors that we zeroed in on while choosing a consultant:
- The consultant should have extensive experience in getting organizations certified by BSI. This was an important criterion since getting certified by BSI is harder than getting certified by less reputed bodies
- The consultant should be available to address our queries at relatively short notice and should generally have a more hands-on approach during the engagement. This was also crucial for us since there were not many people in our company who had prior experience of the ISO certification process
These factors lead us to hire an independent consultant who had around 12 years of experience in getting organizations BSI certified. We also reached out to mature firms that provided consultancy services for ISO certification. But, we learned that they had a very standard way of functioning, where they would provide us with templates alone and not much support thereafter . Also, their availability during the process to resolve queries and issues would be limited, and engaging with such firms would have probably led to delays in our timelines.
The process for certification involved preparation for the audit and the actual certification audits themselves.
Preparing for the audit
While preparing for the certification audits, some of the important steps were:
- Determining the scope: This helped decide which of the functions and geographical locations fell under the Information Security Management System. Once the scope was determined, we created a core team consisting of members from each function that fell within the scope
- Completion Of risk assessment and creation of a risk treatment plan: This helped identify the areas of weakness in our information security processes. The next step was to create a Risk treatment plan to tackle the identified risks
- Building the Statement of Applicability (SoA): The SoA stated which of the 114 Information Security controls would apply to us based on the risk treatment plan that had been prepared. For most organizations, most of the 114 controls would apply. But, if you have omitted any of the 114 controls, you will need to justify why it had been omitted during the audits
- Implementation Of controls and creation of documentation: This is the step where most of our time and resources were spent. The core team met on a daily basis for around 2 months to decide how to go about implementation and create relevant documentation. The documentation would involve the creation of policies, procedures, and evidence to showcase the implementation of controls. As mentioned above, our consultant provided templates and guidance to complete this step. We would highly recommend scheduling regular catchups to make sure that documentation is being done on time. This is to solely ensure that your focus doesn’t waiver looking at the amount of documentation that needs to be completed (It is a lot!)
Audits occur in two stages:
- Stage 1 audit involves reviews of ISMS documentation and policies
- Stage 2 involves review of evidence to make sure that what is happening inside the organization is in-line with ISO requirements and policies
Once we were confident that we were prepared for the audit we had a discussion with the certifying body and scheduled a date for the Stage 1 audit. We recommend you to have a gap of a few weeks between the Stage 1 and Stage 2 audits. This will allow you to resolve the findings found in the Stage 1 audit before the Stage 2 audit begins.
During normal circumstances, Stage 1 and Stage 2 audits happen on-site, where auditors visit the office locations that are getting certified. Due to the pandemic, accreditation bodies have given the flexibility for the audits to happen remotely for both Stage 1 and Stage 2.
It is also extremely important to keep in mind that despite the likely scenario that all of your employees are working from home at the moment, you would still need to have an office space with all the physical controls implemented. Evidence for physical security at office locations will be reviewed during the Stage 2 audit mostly in the form of photos/ videos that you would have. You need to collect and present these evidences or your auditor might insist on checking the controls at site. When presented with such a situation, one of your office members will have to visit the office along with the auditor to demonstrate the required controls.
In conclusion, getting ISO certified is about planning and preparing for the requirements being asked. Having a trusted consultant who knows the process and can customize it according to the requirements of your organization helps tremendously. It also cuts short the time required to get certified as you clearly know what needs to be done. We hope our experience helps you when you are thinking of getting certified.