We are proud to say that Assembly has been awarded ISO 27001 certification by the British Standards Institute, which we have been working towards for the best part of a year. For companies considering certification, the process can seem daunting. So we thought we’d write a blog to share our learnings, in the hope that it might be useful for others beginning their ISO 27001 journey.
For anyone unaware, ISO 27001 is a set of standards that govern information security management systems (ISMS), this includes both physical and technical systems and can cover everything from your office to any product that you develop or create. There are elements of ISO 27001 that overlap with GDPR and vice versa; however, being compliant in one does not mean you are compliant with the other. Achieving ISO 27001 certification is another important step to ensure trust between Assembly and the schools and platform partners that use Assembly’s services; it gives you confidence that we are using secure processes in all the work that we do.
How you implement your ISMS is highly dependent on the size of your organisation, the type of work you do, and the operational aspects of your organisation. We’re pretty agile, so we wanted our accreditation to fit with that culture, rather than changing our ethos to fit ISO 27001. Here are some tips that we think will help companies, especially start-ups and those using agile methodologies, that are aiming for ISO 27001 certification:
- Pick an accreditor with UKAS certification. There are a plethora of ISO 27001 certification bodies, however you can’t trust all of them. UKAS (United Kingdom Accreditation Service) is the only national accreditation body that is recognised by the UK government to assess against internationally agreed standards, organisations that provide certification, testing, inspection and calibration services.
We decided to use the well-respected BSI for auditing and certification body. Many non-UKAS accredited bodies will offer to put your ISMS together and certify, which is a breach of ISO 17021’s requirements - certification bodies must remain impartial and, as such, can only provide certification. Furthermore, non-UKAS certificates are not internationally recognised there isn’t the trust that the standard has been audited stringently enough, so if you’re going to tackle ISO 27001, it is worth the time and effort to achieve certification properly with a UKAS certified body.
- Hire a consultant. If you have limited experience in implementing an ISMS or applying for ISO 27001 consultation, then it is vital to seek the expertise of an ISO consultant. We’d suggest you query people for their experience of establishing agile processes in startups in particular: “old school” ISMS consultants can have templates and tips that fit with larger, more monolithic organisations.
The outside scrutiny of an ISO consultant or practitioner will identify the weaknesses in your ISMS and help you create the processes and policies that will comply with the 27001 standard. This may seem like an obvious point, but some organisations have attempted certification without the direction of a qualified security professional, either internally or externally. This has resulted in major non-conformities being uncovered during the audit, which can delay the certification process by months.
- Make your ISMS fit the way you work. We were given many different standard paper forms to use for implementation of certain aspects of the ISO 27001 standard, like a change control policy and project management documentation. As a paperless organisation that works in an agile way, these forms would have been more of a hindrance than a way to improve information security.
The key was to make processes that fitted into the way that we work. This meant adapting the change control forms to fit with the systems we already use, and frequently that involved Trello. For example, we created a Trello board where change suggestions can be monitored in a way that integrates with our existing roadmap and sprint planning process.
- Create an ISMS that works for everyone. Whoever is implementing your ISMS will need to work with the whole team to ensure all aspects of the ISMS work. ISO 27001 cuts through the whole organisation from HR to development and it is highly unlikely that the infosec representative will have the knowledge of how all departments function.
At Assembly we have found the best way to engage the whole Assembly team is to talk openly about ISMS policies so that everyone can not only ask questions, but also input into the development of our processes. This has meant that we have an ISMS that everyone can buy into rather than everyone thinking they are having a burden being placed upon them which gets in the way of their work.
- Ban negative references to security. We have decided to ban the eye-rolling and negative comments about security because of the connotations that it is boring or irrelevant.
An unprompted comment from one our team members in an org-wide meeting that information security is really important and that we should all care about it really helped everyone change their way of approaching information security and make them play an active part in it. Along with the other steps we have taken it has made it easier to develop and implement our ISMS.
- Find out about your office’s security systems if you work in a co-working space. The ISO 27001 standard can be ambiguous in its approach to co-working spaces. The key thing is to makes sure your office has suitable security systems in place.
So, to meet the requirements, you’ll need to ensure that you know the security systems in your co-working space, especially how the internet system is set up and what security measures are in place to prevent malicious attacks. As long as you have evidence that you have risk assessed your co-working space, from physical to network security, and have a risk plan for any associated high risks, you will be complying with the standard.
- Don’t be afraid of the audit. It is easy to worry about the audit, especially as by this point it will be months of work that you would have put in to create and implement an ISMS policy.
However, the audit and your auditor are nothing to be scared of. Your auditor will usually find non-conformities; however, as long as they are minor and you submit an action plan, you will be awarded certification. ISO 27001 is the designed for continual ‘self-improvement’: no ISMS is ever 100% perfect, and you should use the minor non-conformities and observations as pointers for improving your ISMS. Furthermore, remember that your auditor is there to help you achieve certification, whilst being impartial, and it is likely that they will be your auditor going forward, so it is important to build a good relationship with them.