ISO/IEC 27001 is widely known, providing requirements for an Information Security-Management System (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
Datasur has been certified for the past 6 years. We started in 2015 with the implementation and the first audit. There are a few lessons we as Datasur learned during the past years, and we thought it would be a great idea to share some of the lessons-learned with our clients and followers.
Lesson #1: ISO, no matter which ISO it is, could be ISO 9000 or ISO 27001, you must start preparations on time. ISO 27001 is a year long task. As a company we use ISO 27001 in our everyday job. Internally the organization is confronted with processes for everything. But it comes with a cost — the cost of transformation and commitment to follow through set policies and procedures. It brings in the perspective of security on everything that happens within an organization. It engages all functions of the organization from Commerce, Operations, HR to Finance. So we need commitment from all the departments of the organization for the ISO 27001 to function correctly.
Lesson #2: Dedicated employees. The company needs ownership. Ownership is a term commonly used in Information Security. Having a dedicated Information Security Manager or Officer will ensure commitment from leadership. Datasur uses a top-down approach in Information Security. The initiatives are taken by the CEO and our Management Team. We formulate the policies, outline the procedures to be followed, determine the priorities and the results expected, and also determine the liability for each action.
Lesson #3: Yearly checklist. Because it can become a lot to take on and we needed to stay on top of managing the ISMS, we designed an ISO 27001 yearly/monthly checklist. Each asset owner can now access their checklist and with one click have an overview of their tasks related to ISO 27001. With this checklist we were able to see our progress monthly.
Lesson #4: Security awareness. Security awareness is an important part of our ISO 27001. Training our employees about the security landscape is important to reduce the risks in the ever evolving cyber world. Security awareness training also ensures that employees are fully awake to the consequences of failing to protect the organization from outside attackers.