If you are part of a technology start-up, you know the dilemma of having scarce resources and many demands placed upon them. In particular, if you touch your customers’ data in some way, there can be lots of legitimate questions around cyber security. Recent high profile breaches validate the need to ask such questions as well. Understanding more about our cyber security practices is a very reasonable demand our customers have.
Therefore, a while ago, we decided to embark on our journey towards ISO 27001 certification. We use the word ‘journey’ purposefully, and now that we have successfully finished the first set of audits, we can add: without end. In terms of lessons learned, this is the first one. You are never done with cyber security, it is not a box to be ticked once and forgotten. Rather, it is a constant re-evaluation of risks and responses - especially if you are a nimble technology start-up and there is a lot of constant change in the business anyway.
To help other technology start-ups out there, we decided to share some considerations of why we undertook the ISO 27001 certification process, as well as our five lessons learned in the process.
Our experience: size doesn’t matter
When discussing our intention to undertake an ISO 27001 certification with our network, we would sometimes get the feedback that this standard was intended for much larger organisations. Why were we putting ourselves through this, if this was the case?
For us, the process was triggered by our customers’ needs, as underlined by the high profile breaches quoted in this blog’s introduction. However, as we got stuck into designing systems and processes that fit our cyber security risk appetite and that were ISO-proof, we realised that size doesn’t matter. Trust needs to be earned, whether you are big or small. And even if you are a small technology start-up, you need to be able to demonstrate that you can be trusted.
Undertaking the ISO 27001 certification shows you are taking information security seriously. In the process of getting certified and setting up adequate systems and processes, there are numerous internal discussions to be had. Risks to be assessed, improvement plans to be drawn up, and monitoring to be set up and iterated on.
These internal discussions serve a huge purpose: it makes assumptions around information security explicit, gets everyone on the same page around information security, why it matters and what the best way is of implementing it in your organisation. Without these internal discussions, no tool or process would ever do the job. It is often said that ‘people’ are the weakest link in cyber security. We now believe, after our certification experience, a main reason for this can be the absence of those critical internal discussions so that everyone understands the "why".
Making the big league easier by getting it right when you are small
After our ISO certification experience, we would go as far as saying it is easier to do when you are in a start-up phase. As a start-up, getting processes, technology and mindsets right early on is easier than retrofitting it all later. In particular, to get buy-in ‘from the top’, working in a small technology start-up has its advantages. Generally, founders have a fairly good appreciation of why cyber security is important and also there are less management layers and people to deal with than in bigger organisations.
A technology analogy would be when you are building software. It’s at least 100x more cost effective to understand (security) requirements from the get-go, and build them into your Minimum Viable Product (MVP) from the start, rather than to launch an MVP and retrofit requirements later.
However, it is important to note that just because you are a small organisation, the process does not change. You have to comply with the standard, irrespective of size. Therefore there are no benefits to be had in terms of compliance leniency in the audit or cutting process steps, or enjoying ‘light’ versions of certain processes.
Five lessons learned
We promised to tell you how you can do better than us in your ISO audit. To that end, we share with you these 5 lessons we learned the hard way, so that you can set yourself up for success early on.
Even though it never does any harm to offer a lunch time Mario Kart session to your ISO auditor (we had a great time and allowed for some laughs in the process this way), there are some more serious aspects to take into consideration when planning and undertaking your ISO audit:
- Initially, our risk register and the way we dealt with risks in our information security management system were both very focussed on…. information security. This might seem logical, but soon we uncovered that we should think much broader about business risks. Lots of areas, in fact most areas in your organisation have interconnectivity with information security. After a good conversation with our internal auditor, we understood we needed to expand our thinking to strategic risks, HR risks, financial risks, and so on. So we recommend you take this wide angled view from the start of setting up your risk register and designing your other processes and documentation.
- Don’t think that because it is your first audit, you can leave your internal audit/s for later. We thought this initially… to be told we had to re-do our first stage audit as a result. All of section four through to 10 of the standard is mandatory, and needs to be in place. Whether you’re big or small, start-up or an established organisation.
- Having said that, there are certain things around implementation that you can leave until later. No wholesale items as indicated above, but essentially the first year it’s all about getting the foundations for compliance right, whereas subsequent years there are higher expectations around compliance maturity. Obviously, there is no one-size-fits all for this that applies to all organisations. Therefore, we recommend reaching out to someone who has ample experience in undertaking or undergoing these audits taking risk based approaches. They can probably give you pointers for your organisation specifically, where you have to get it right the first time, and which areas you can mature into over time.
- Similarly, we recommend reaching out to a couple of auditors and to get to know them before you choose who is going to audit you. There are many approaches to the ISO 27001 audit, and it is important you are aligned philosophically with your auditor. In addition, it is important that your auditor has experience with your type of organisation since the nuances of good information security practices differ a fair bit between different industries.
- When setting up policies, procedures and other documentation, you can save yourself some time by purchasing good standard ones from a reputable (online) outlet, and customising these to your organisation. You can also save time by outsourcing some of the downstream activities in the information security management system to reputable parties, for example some of the monitoring. We are currently exploring options around this, just given our own limited bandwidth and resources. So far, we found there are good options out there.
Undertaking an ISO 27001 certification is a very worthwhile exercise. Not only to demonstrate to the outside world that you are taking information security seriously and can be trusted with your customers’ data, but also to take a good look internally and improve your organisation.
To go through the process you have to learn a lot about your business, it’s a good way to understand more about what you do and things that go wrong in your current practices. An ISO 27001 audit takes a lot of time and effort but also brings a lot of value if you take it seriously, and don't treat it as just a compliance exercise.
If you would like to discuss further or gain deeper insights around these lessons learned or our journey towards ISO 27001 certification, please don’t hesitate to schedule something with us here. We would love to have a coffee with you to discuss these things.
Photo by Scott Graham on Unsplash