The main objective for a company to become compliant to any international security standard should always be to improve their own security programs, also known as ISMS — Information Security Management System. ISO 27001 compliance comes as a bonus when you build a security organization and a competent security program. If you want to be compliant for any reason other than this, you are doing it wrong.
I wanted to share my experiences with helping companies becoming certified to this standard and offer insights on closing the PDCA cycle — Plan, Do, Check, Act. I have come up with 4 reasons for why companies should strive for ISO 27001 certification:
- Provides Direction for your Security Program
One of the outcomes of being compliant is leading companies down the right path. The standard helps you create an information security management system, and teaches you about the security fundamentals that are otherwise overlooked by companies of all sizes. It all starts with top management, who is supposed to be accountable for everything information security related. Without this, there is no ISO 27001.
It will compel you to focus on a particular scope. This is especially helpful when your environment is at a size in which prioritization is a challenge. It is much easier to classify information and analyze risks to a particular set of processes and systems rather than focusing on everything at the same time. It will make you more effective, and thus lead you to the right path to managing information security
2. Highlights Weaknesses in your Security Program
Establishing and running an ISMS is hard. The standard covers a wide range of topics that can be overwhelming at first. The annex A of the standard contains 14 domains that are subdivided in controls — from 5 to 18. All the annex A controls serve as recommendations on how to address and mitigate certain risks that were identified in the risk assessments.
You might find implementing some of these controls to be very easy. Do you have a documented vulnerability management program? Do you perform regular pentests with a trusted partner like Cobalt.io? Probably yes.
Now, Have you ever performed an emergency exercise to test your disaster recovery plan? Did you achieve the target objectives set by your business continuity plan? Maybe not.
The reason for this is simple. Responsibilities for basic information security controls are usually spread across the organization. For example, a security team might not have authority in physical security. Or human resources and recruiting. Becoming ISO 27001 compliant will give your security program a painful workout but in the end will leave it better off.
3. Builds Good Relationships
An important note about this topic is that a particular security team is not the center of the security program. Even though the organization appointed the Information Security Officer role to an individual, it doesn’t mean that they alone own all aspects of security.
The security organization is the conductor of the ISMS. Multiple other areas in your organization are also responsible and accountable for specific sections of the whole security universe. They will implement the controls and make sure they keep them running, while the security team monitors and reviews from a distance.
However, it is obvious that the security team will eventually be responsible for something. That’s why we choose to be security researchers, consultants, analysts, engineers, and managers. We are all passionate about a number of security domains, but we can’t do it all ourselves.
Becoming compliant will lead to better relationships with your stakeholders. You need them to implement the controls and they need you as a consultant . In my past experiences I’ve seen that if you succeed in fostering this symbiotic relationship, the better your ISMS becomes.
4. Improves Overall Security Culture
I am a big advocate for people-centric security. It’s never about the system, it’s always about the individual using the system. If you involve your user base early on and invite them to contribute to your security policies, you greatly maximize the success of rolling them out.
You do not want to write policies just for the sake of having them. This does not lead to satisfactory results in an ISO 27001 audit. Your documentation must be lived and users must be aware. If you give the right tools to your users and guide them step-by-step through the path to improving their own security, you will create a positive security culture within your organization.
To conclude, becoming compliant to the ISO 27001 standard is a by-product of a solid security program. The entire journey, plus going through an audit, is painful for a reason. As I mentioned earlier, establishing such a program is hard but when you finally make it, you will have no regrets and ask yourself why you didn’t do it earlier.
Read more about Contentful’s path to ISO certification