As many organisations start to examine how well they responded to Covid-19 and how they could have done better, the topic of βbusiness resilienceβ arises.
In the world of management systems, the obvious one that springs to mind which would have helped organisations ride this out is ISO 22301 Business Continuity Management Systems. Having plans for dealing with disruptions to your organisation is just good management practice. And getting them tested by a third party auditor really does keep you on your toes. (In fact, a study by theΒ Business Continuity InstituteΒ in 2018 found that 54% of respondents used ISO 22301 as a framework but didnβt get their systems certified. The problem for many of these organisations is that without having a third party audit by an expert auditor whoβs seen it all, they donβt get the benefit of being assessed against the highest standards and possibly donβt even test their business continuity plans at all – a recipe for failure.)
Β
Anyway, back to the point. Perhaps one thing we didnβt anticipate in the pre-lockdown early months of 2020 was just how invaluable ISO 27001 Information Management would prove to be. With so many of us working from home – handling our employerβs sensitive data and managing client records from a laptop perched on the kitchen table connected to our domestic Wi-Fi network – the vulnerabilities of work practices have been thoroughly tested. And I have heard of too many that have stretched beyond breaking point.
Β
This is where ISO 27001 comes into its own. It incorporates elements of business continuity and disaster recovery to help you keep your organisation functioning when the unexpected happens. In other words, it makes you more resilient.
Β
You canΒ learn more about ISO 27001 on our product page. If youβre well ahead in your planning, or just want a clearer idea of the details involved in implementing ISO 27001, you can get a copy of our freeΒ ISO 27001 Gap Analysis.
Β
But while I have your attention, Iβd just like to talk about a couple of things you wonβt find on those links.
Β
Firstly, and possibly the most important tip when thinking about introducing ISO 27001 (or indeed any ISO standard) – and a statement of the blindingly obvious, you might say – isΒ know what you are doing.
Know what you are doing
It may not be gripping, but really, you shouldΒ read the standard. And in the case of ISO 27001 itβs not a bad idea to read the commentary ISO 27002 document as well. It provides useful guidance on the application of ISO 27001 (but you canβt be held to it; after all, itβs only guidance). Make sure you know the standard. We auditors see way too many trying to bluff it. Donβt!
Β
While youβre in this phase of your journey,Β make sure you know what you areΒ alreadyΒ doing. You canβt possibly have got this far in your business life without some sort of Information Security controls: physical security, staff training and competence, passwords, firewalls etc. Many of these things are the controls listed in Annex A of the standard. Thereβs no need to reinvent the wheel if you already have controls in place and they are functioning well!
Β
Get to grips with both of those things and you may find that not only is implementing ISO 27001 not as intimidating as you might have previously thought, but you may well be following best practice in many areas already.
Misconceptions about ISO 27001
Spoiler alert! If youβve not yet read the standard, you may want to stop reading now as I expose some of the myths about ISO 27001.
- βItβs all about IT.β Wrong. Itβs about information security. ISO 27001 is relevant even if all you have is quill pens and parchment – itβs still information. Information is held in many ways; paper, websites, peopleβs heads. It just so happens that these days a lot is on computers.
- βWe canβt adapt it to our needs.β Wrong, and this applies to all ISO management systems. Many people think a standard tells you exactly what you must do such as screening and vetting of staff and complexity of passwords etc. ISO standards donβt do this. They give broad outlines on areas such as risk assessment and context but donβt tell you how. Prescriptive standards seem easy; just follow the rules and you pass but often you find yourself changing the organisation to fit the rules. Management standards require a little bit more initial thought but, in the end, you develop a system that suits you.
- βItβs just about keeping information confidential. We do that already.β Wrong. The key requirements are in an acronym CIA β Confidentiality, Integrity and Availability. Information needs the right amount of secrecy, but it also needs to be correct and complete and to be readily available for people when they need it. This creates a balancing act as these can work against each other. Itβs not easy to keep information confidential if lots of people need to see it.
And finallyβ¦
Donβt just think about the core of your business. Many non-conformances occur on side issues; staff records, supplier information, old records held in that shed at the back of the building etc. Funnily enough, this is how βhackersβ and criminals get in; round the back and sides. Ultimately, if you canβt organise you core business right you shouldnβt be in business, but the true test is how you control the edges. The best organisations do this.
Β
Follow the above and youβre on the right road to ISO 27001 certification and a more resilient business.
Β
Weβll be following up with more detail on the implementation of ISO 27001 and more free, downloadable content. So please be sure to follow us.
