As many organisations start to examine how well they responded to Covid-19 and how they could have done better, the topic of ‘business resilience’ arises.
In the world of management systems, the obvious one that springs to mind which would have helped organisations ride this out is ISO 22301 Business Continuity Management Systems. Having plans for dealing with disruptions to your organisation is just good management practice. And getting them tested by a third party auditor really does keep you on your toes. (In fact, a study by the Business Continuity Institute in 2018 found that 54% of respondents used ISO 22301 as a framework but didn’t get their systems certified. The problem for many of these organisations is that without having a third party audit by an expert auditor who’s seen it all, they don’t get the benefit of being assessed against the highest standards and possibly don’t even test their business continuity plans at all – a recipe for failure.)
Anyway, back to the point. Perhaps one thing we didn’t anticipate in the pre-lockdown early months of 2020 was just how invaluable ISO 27001 Information Management would prove to be. With so many of us working from home – handling our employer’s sensitive data and managing client records from a laptop perched on the kitchen table connected to our domestic Wi-Fi network – the vulnerabilities of work practices have been thoroughly tested. And I have heard of too many that have stretched beyond breaking point.
This is where ISO 27001 comes into its own. It incorporates elements of business continuity and disaster recovery to help you keep your organisation functioning when the unexpected happens. In other words, it makes you more resilient.
You can learn more about ISO 27001 on our product page. If you’re well ahead in your planning, or just want a clearer idea of the details involved in implementing ISO 27001, you can get a copy of our free ISO 27001 Gap Analysis.
But while I have your attention, I’d just like to talk about a couple of things you won’t find on those links.
Firstly, and possibly the most important tip when thinking about introducing ISO 27001 (or indeed any ISO standard) – and a statement of the blindingly obvious, you might say – is know what you are doing.
Know what you are doing
It may not be gripping, but really, you should read the standard. And in the case of ISO 27001 it’s not a bad idea to read the commentary ISO 27002 document as well. It provides useful guidance on the application of ISO 27001 (but you can’t be held to it; after all, it’s only guidance). Make sure you know the standard. We auditors see way too many trying to bluff it. Don’t!
While you’re in this phase of your journey, make sure you know what you are already doing. You can’t possibly have got this far in your business life without some sort of Information Security controls: physical security, staff training and competence, passwords, firewalls etc. Many of these things are the controls listed in Annex A of the standard. There’s no need to reinvent the wheel if you already have controls in place and they are functioning well!
Get to grips with both of those things and you may find that not only is implementing ISO 27001 not as intimidating as you might have previously thought, but you may well be following best practice in many areas already.
Misconceptions about ISO 27001
Spoiler alert! If you’ve not yet read the standard, you may want to stop reading now as I expose some of the myths about ISO 27001.
- ‘It’s all about IT.’ Wrong. It’s about information security. ISO 27001 is relevant even if all you have is quill pens and parchment – it’s still information. Information is held in many ways; paper, websites, people’s heads. It just so happens that these days a lot is on computers.
- ‘We can’t adapt it to our needs.’ Wrong, and this applies to all ISO management systems. Many people think a standard tells you exactly what you must do such as screening and vetting of staff and complexity of passwords etc. ISO standards don’t do this. They give broad outlines on areas such as risk assessment and context but don’t tell you how. Prescriptive standards seem easy; just follow the rules and you pass but often you find yourself changing the organisation to fit the rules. Management standards require a little bit more initial thought but, in the end, you develop a system that suits you.
- ‘It’s just about keeping information confidential. We do that already.’ Wrong. The key requirements are in an acronym CIA – Confidentiality, Integrity and Availability. Information needs the right amount of secrecy, but it also needs to be correct and complete and to be readily available for people when they need it. This creates a balancing act as these can work against each other. It’s not easy to keep information confidential if lots of people need to see it.
Don’t just think about the core of your business. Many non-conformances occur on side issues; staff records, supplier information, old records held in that shed at the back of the building etc. Funnily enough, this is how ‘hackers’ and criminals get in; round the back and sides. Ultimately, if you can’t organise you core business right you shouldn’t be in business, but the true test is how you control the edges. The best organisations do this.
Follow the above and you’re on the right road to ISO 27001 certification and a more resilient business.
We’ll be following up with more detail on the implementation of ISO 27001 and more free, downloadable content. So please be sure to follow us.