The recent hack of the Colonial Pipeline, which has crippled the transmission of fuel in the Southeast United States, serves as a stark and alarming reminder to all businesses of the vulnerability of information systems to security breaches, hacks, and ransomware attacks. Over the last several years, most businesses have worked diligently to increase cybersecurity to defend against such attacks, including the adoption of ISO 27001.
ISO 27001 is an international framework created to establish requirements for what has been termed an “Information Security Management System” (ISMS). ISO 27001 was designed to be usable across industries and regardless of the size of the organization. In short, ISO 27001 provides a roadmap on how to implement, manage, and maintain an effective information security program within your organization. Among the best practices are perennial internal audits of compliance with ISO 27001.
Businesses are asking questions about ISO 27001, and rightly so. The two questions we get asked most often are, “When is the right time to pursue an ISO 27001 security audit,” and, “Where are the areas where we will be impacted most?” These are good questions and, while the answers have changed some over the years, here is how we guide clients for maximum compliance.
1Adopt an Auditable Security Posture Sooner
We used to answer the question of “When?” with, “Never!” The rationale was, why would you choose to create an unnecessary recurring annual expense for your business? However, things have changed.
What we have seen is that those companies who adopted an auditable security posture sooner rather than later have actually seemed to grow much quicker. In years past, security was often seen as an impediment to growth. Now, with the benefit of hindsight, we have seen how quickly those clients have scaled their businesses because the sales process was shortened markedly by having an independent security audit report and certification like an ISO 27001 to hand to a prospect.
2System-Wide Changes Will Affect Greatest Benefits
Without mincing words, ISO 27001 compliance will impact your entire organization, forcing system-wide change. But these changes will be for the better. Although ISO 27001 addresses security techniques for Information Technology, the framework opens with requirements for Leadership, (Security) Planning, and (Security) Support among other entity-level items.
If you have worked with the companies subject to the HIPAA Security Rule, HITRUST, PCI, FISMA, SOC 1, or SOC 2 as internal auditors or consultants, you will see how many of the requirements overlap. The ISO 27001 document, which can be purchased at either www.iso.org or www.ansi.org, focuses on how to establish an information security function at your organization.
3Invest in a Guide for Greater Ease
Appendix A within ISO 27001 lays out the technical controls that also represent requirements. I would definitely recommend spending the money on the ISO 27002 guide which goes into greater detail on the Appendix security controls including implementation guidance.
If you are in an internal audit or compliance role, one of the most difficult parts of becoming an ISO 27001 certified organization is getting the executive management team to embrace the tone at the top required and actually evidencing their support.
The ISO 27001 guide controls are referred to as “clauses,” and these too must be evidenced even though they are more strategic in nature rather than operational. The clauses establish the tone at the top and how the executive team will execute their information security strategy.
—
As most of us who have been in the business awhile can attest, implementing change is difficult, and getting the top executives to change the way they do things can be even more difficult. The good news for you is there is always a critical driver—motivated boards of directors, key customers, or prospects, for example—that represents an enormous lever for you as the change agent.
Jay Anthony is CEO and founder of Audit Liaison, based in Tampa, Fla., which provides audit and security compliance support to small and medium-sized companies across the United States.