ISO is a hot topic. You may see this abbreviation on a certificate or hear an employee say, "We are ISO certified," whenever you visit a business. We conducted a Q & A session to help our readers better understand what ISO stands for. Deva, a GRC and ISO implementation specialist at Briskinfosec, joins us. Abhishek, our client advisor, is the one to begin this discussion. Just became a part of the conversation.
Abhishek: “What is ISO?”
Deva: “ISO (International Organization for Standardization) is an independent, non-governmental, international organization that develops standards to ensure the quality, safety, and efficiency of products, services, and systems.”
Abhishek: “What is ISO 27001?”
Deva: “ISO 27001 is an international standard for how to run a system to protect information (ISMS). It is proof that an organization is managing information security risk in line with the best practices at the time. A new version for the year 2022 came out not long ago."
Abhishek: What’s new in this revision?
Deva: "Yes, this revision adds 11 new controls. In this day and age, information security concerns are more about cloud security and threat intelligence, data masking, DLP, web filtering, and so on. So, all these have been included"
Abhishek: Is this ISO Implementation a one-time activity?
Deva: "This won't be a one-time thing; there needs to be a continuous improvement process. • Controls need to be put in place, tested for effectiveness, reviewed, and changed. And keeps getting better and better at information security."
Abhishek: Then how long does it take for implementation?
Deva: "As you can see, setting up the framework for the first time will involve a number of steps, such as
- Understanding the Context of Organization
- Gap Assessment
- Risk Management
- Documentation & Implementation
- Audit & Review
- Certification Process
Clauses 4 through 10 of ISO 27001 can be put into place in two months.
Depending on the size and structure of the company, putting ISO 27002 controls in place will take about 3 to 4 months.”
Abhishek: “You were telling me about ISO 27002 right; can we get certification for ISO 27002?”
Deva:“ No, ISO 27002 is a list of the best practices to do things (We called it controls). There were about 114 controls that really helped make the organization's information more secure.
ISO 27001 is the standard for management that says what needs to be done. So, this standard is the only one that can be used for certification.”
Abhishek: “Who can choose ISO 27001, whether it is for only IT companies or some-other industries?”
Deva: “ Not at all. ISO 27001 can be used by any company, big or small, in any industry, for any product or service, if they really want to protect their information, data, paper documents, and intellectual property.”
Abhishek: “Do you think that this ISO 27001 is implemented for marketing tactics.”
Deva: “ISO 27001 is clear proof that customers have been involved in the process. Even more important, the organization starts to handle information better. People who work for the company know how much the information they make or use is worth. Customers will trust the company more over time as a result..”
Abhishek: “When you speak more about Information Security, whether this ISO 27001 relied on the IT department?”
Deva: “This is not true. People tend to think that the IT department is the only one responsible for putting information security procedures into place. But it does involve people and processes both inside and outside of IT.
Senior management is important for the successful implementation of ISO 27001 in all departments, not just IT..”
Abhishek: “I need to come for the core part of this LIVE. How does the organization’s implementation of ISO 27001 fail?”
Deva: “See, there are a lot of things that really cause the implementation to fail. But I'd like to point out three important reasons that really have more of an effect.
- Only one person is working on a project
- Single project manager
- Allocating all tasks (Example: Risk Management)
- No steering committee
- No contingency for that person.
- Top Management does not understand why this is useful
- Sending a detailed written proposal on 100 pages.
- Presenting a project status in a 2-hour meeting.
- Focusing on technical instead of business issues.
- Lack of Project visibility where the implementation stands.
- Choosing the wrong implementer
- Implementation steps not align with the standard
- Doing implementation without doing a risk assessment
- Writing too many documents for each control
- Creating rules which are not doable in practice
- Implementing for namesake. The certificate will be obtained and hung on the wall. But real benefits cannot be achieved by the company.”
Abhishek: “What is the uniqueness of Briskinfosec in the ISO implementation part.”
- We always don’t rely on pre-existing templates & tools available on the internet.
- We develop appropriate documents tailor-made for that company in line with the standard.
- Visibility is the key to successful implementation. Our project management techniques will be very transparent so that top management can have clear visibility of the project in one touch.
- We like to engage with an organization that likes to implement ISO 27001 in letter & spirit
- We have a brisk maturity model to identify the maturity of the organization during the implementation.”
We hope you now understand what ISO 27001 means. Companies that deal with information have to do it. If you have questions or concerns about ISO 27001, please get in touch with us.