ISO 27001 implementation – 4 key challenges & how to overcome them
If you’ve recognised the benefits of ISO/IEC 27001:2013, more commonly known simply as ISO 27001 – from legal, regulatory and contractual requirements to new business opportunities – and are considering how you’ll manage implementation, we’ve outlined some key challenges faced and how to overcome them.
- Resourcing your implementation – train, recruit or procure?
- How do we manage disruption to the business?
- How do we ensure ISO 27001 isn’t just a tick-box exercise?
- How to make ISO 27001 implementation less daunting
1. Resourcing your implementation- train, recruit or procure?
With considerable benefits to having ISO 27001 certification, you’ll want to consider your options around resourcing carefully.
The challenge presented to many businesses is often in not having the internal experience and expertise to manage ISO 27001 implementation and these are the options typically considered:
- Train existing staff
- Recruit an information security expert
- Engage consultants
- Use ISO 27001 document toolkits
- Procure information security management software
These may be considered as stand-alone or combined options, depending on the size and complexity of your business.
For many businesses, there is often an external driver to be ISO 27001 certified which in turn places priority on a quick implementation. This can influence the decision of how to resource information security management quite considerably.
Information Security Management System (ISMS)
An ISO 27001-compliant information security management system provides a systematic approach to building a solid foundation to demonstrate compliance to or achieve ISO 27001 certification, as well as other national and international regulations.
An ISMS:
- Demonstrates your commitment to information security management
- Embeds information security management as a discipline within your business-as-usual processes
- Encourages collaboration and sharing of responsibility
- Steers a roadmap to implementation, operation and continual improvement
A software-based ISMS provides a living set of policies and procedures within your organisation that are stored centrally, preferably in a cloud-based platform.
This is why an ISO 27001 document toolkit falls short. Even the most ‘comprehensive’ toolkits are essentially Microsoft Excel and Word documents with inadequate version control mechanisms and no clear next steps for ISO 27001 implementation.
2. How do we manage disruption to the business?
When embarking on working towards an ISO 27001 certification, the challenge will often be how to run this alongside everything else with minimal disruption, whilst maintaining momentum and achieving certification within your timescales.
Work as a team
You can’t implement ISO 27001 alone; you’ll need to work together as a team.
Spread the responsibility and load throughout the business, rather than creating an information security “silo”, which can sometimes happens when an information security consultant is brought in. This will minimise disruption and the journey towards and beyond ISO 27001 implementation is often more efficient and effective.
Not only this, but companies that approach ISO 27001 in a considered and holistic way remain certified by demonstrating that everyone acts properly in their day-to-day, business-as-usual operations.
Communicate well
During ISO 27001 implementation, communicate early, communicate clearly, communicate continually – take everyone on the journey with you. If information security management is getting in the way, you are probably doing it wrong.
3. How do we ensure ISO 27001 isn’t just a tick box exercise?
Top-down support
To truly make the journey effective, an organisation needs to adopt a cultural change that needs to be driven from the top with buy-in from all senior management.
Streamline with software
Utilise information security management software which guides you through ISO 27001 implementation – with templates, frameworks and policies that you can tailor.
Between your ISO 27001 independent audits you are expected to do your own internal audits (Clause 9.2) and act on the findings so build information security management into business processes by constantly reviewing and optimising your ISMS to ensure ongoing maturity.
Commit to certification
ISO auditors typically suggest that ISO 27001 certification can take six months or more – but there are faster and more sustainable ways to achieve it.
Our Assured Results Method (ARM) is one way to ensure that you achieve success. Our methodology provides a pragmatic, risk-based approach that builds on what policies you already have in place while planning for future improvements.
How long it takes for you depends on your goals. If you have a tight deadline, with a prospective client contract riding on it, then you’ll need to commit to a quick implementation to reap the rewards of ISO certification.
ISMS.online speeds ISO 27001 implementation. With its actionable ISO 27001 policies and controls documentation, you can quickly adopt, adapt and add to, it offers progress of up to 77% towards the standard, the minute you log on.
4. How to make ISO 27001 implementation less daunting
Whilst the benefits are exciting, tackling ISO 27001 for the first time can be complex and daunting to say the least.
Don’t strive for ‘perfect security’
Whilst ISO 27001 mandates the requirements for how your information management system must be implemented and operated, it doesn’t need to be perfect.
A great way to begin is to document what you do today – and you will be doing some things already – whilst identifying and recording improvements for the future that will further reduce your risks to acceptable levels.
As long as you are considering the comparative risk levels – how much risk of not implementing a control against how much risk to business from implementing the control – you are on the right track.
Remember, be pragmatic, not “perfect” when selecting and documenting your controls.
The key objective is to ensure that your security management is fully compliant with ISO 27001 whilst ensuring pragmatic, effective and efficient controls to manage your risks to an acceptable level.