Get best of the week

5 stages of inevitability of adoption of ISO / IEC 27001 certification. Anger

The second stage of an emotional response to change is anger. This corresponds to our stage of the struggle with the difficulties of the initial preparation for certification - which is what our today's story is about.

image

We started the path to the certificate with the following initial data:

  • certification terms: as soon as possible;
  • budget: the smaller the better (but so that everything is decent);
  • team: 1.5-2 people (project manager + periodically connected IT department staff and management);
  • knowledge of the team in the field of information security: so-so.

image

It doesn't look very impressive, does it? We did not even imagine how many difficulties we would encounter in the process of work and what a serious number of decisions we had to make.

We don’t know anything at all!


One of the main difficulties was that no one in our company had sufficient expertise in the field of information security. None of the employees had any professional certificates or professional experience in implementing an information security management system. This caused serious concern: will we cope with this? Maybe we need some training first? Or is it necessary to hire a person who already has such an experience?

Spoiler:
, 70 .

Indeed, you can hire a consultant, but how can we evaluate his professionalism if we ourselves do not understand anything about this?

Looking ahead, we can say: even with such initial data, the problem turned out to be quite solvable. The main thing is that the team has logic, common sense and a clear understanding of why the company needs certification.

Maybe just google it?


We really didn’t have any expertise, but in the age of modern technology, almost any information is available to us - for free or for very little money. Therefore, at the beginning of the project, we believed that with ease we would find all the necessary information for successful preparation for certification on the Internet, as well as easily download samples of all the necessary documents.

In reality, everything turned out to be completely wrong:

First of all , in principle, we did not quite understand what specifically we needed to “google”.

Secondly , everything that we found in the public domain was very blurry - no specifics, no real cases.

Thirdly, all samples of documents that we found on the Internet were completely irrelevant for our company. And even in English there were practically no easy-to-understand step-by-step instructions and cases of companies that successfully passed certification. Thus, we had to grope the path to the certificate ourselves.

At what end do you start to unravel the tangle?


After an intensive search for information on the Internet, we realized that for starters we should decide on:

  • certification authority;
  • certification consultant (because we really don’t have any expertise - and you need to find someone who already has it);
  • technological tools for the development and maintenance of the system (in subsequent articles we will open this important point in more detail).

The first two are key counterparties during certification; their choice should be taken very carefully (which we did). Thus, the first thing we decided to focus on is holding two tenders to select these key counterparties.

How to choose a certification authority?


Of course, the choice of a certification body depends on the reasons that prompted you to prepare for certification. If you have reached this place in the article, then you probably need a certificate not just for show, otherwise you would have used the services of companies that offer to make a certificate in an hour and 10 thousand rubles. Accordingly, you should focus on certification bodies that have extensive international practice and are accredited in the countries of interest to you.

There are not so many companies ready to certify you in Russia according to the ISO 27001 standard - we selected about 10 decent participants for the tender. Key criteria for selection were:

  • availability of international accreditations,
  • customer portfolio and their recommendations,
  • price.

It is amazing that on the last point we got a spread of almost 10 times ! However, some of the bidders said that they can provide us only with a foreign auditor. This automatically meant passing a certification audit in English, which, in principle, was not a big problem for us, since all key employees know it at a high level, but for someone this can definitely become a problem.

Later we learned that there are very few specialists who can conduct certification audits according to this standard in our country. Almost all of them work for several certification bodies and are familiar with each other.

How to choose a certification preparation consultant?


There are quite a lot of companies offering their services in preparation for certification. However, not all of them can really help - some of them, in fact, just send you policy templates where you need to insert the name of your company, without delving into your business processes. Naturally, this approach will help you a little with certification.

Conceptually, there are 2 solutions to the problem:

  • Preparation by the consultant of all turnkey documents . This approach will undoubtedly allow you to not overload your employees with preparation for certification. However, there is a risk that your processes and procedures will not be adequately documented.
  • Consultant checking the documents prepared by your employees. Here, probably, the quality of the documentation will be better, because it will be prepared by those employees who are familiar with the processes.

In preparation for certification, we acted in the second scenario. Based on our experience, you can give some tips on choosing a consultant for certification:

image

  • Ask for recommendations from consultant companies from certification authorities, among which you are conducting a tender - that’s how we found ours.
  • Negotiate and fix in advance the scope and scope of work, as well as the responsibility of each party.
  • Keep in touch with a consultant regularly throughout the entire period of preparation for certification - this will save time and avoid the need to redo large pieces of documentation.

Okay, but is everything okay now?


In the process of collecting the materials necessary for preparing for certification, surprising things turned out. For example, the fact that ISO 27001 is tied to a number of related standards (which should be read at least superficially).

These are, for example, standards such as:

  • ISO 19011 - Guidelines for auditing management systems
  • ISO 22301 - Business Continuity Management Systems
  • ISO 31000 - Risk Management. Principles and guidelines
  • ISO 27003 - Methods and means of safety. Information Security Management Systems

The above list is fundamental, but not comprehensive. Each company forms it based on its own needs. We chose not to “reinvent the wheel” and, for example, in matters of risk management and audit of management systems, we relied on ISO 31000 and ISO 19011, respectively. The supporting standard ISO 27003 helped us with its accompanying information on the implementation of 27001. But most of all we worked with ISO 22301, which is necessary to describe the part of the policies that are responsible for business continuity plan (BCP).

Spoiler:
, .

The “cherry” on the cake was the lack of relevant texts of these standards in the public domain. If you want to familiarize yourself with the content, buy the official text on the ISO website for ~ 10 thousand rubles.

And how much will it cost?


In preparation for the start of the project, we naturally decided to calculate how much certification would cost us.

Spoiler
100 3 1 ( – ).
The general structure of the costs of certification in our case was as follows:

- costs of the fee to the certification body,
- costs of the fee to the consultant to prepare for certification,
- travel expenses of the auditor,
- hospitality expenses,
- costs of marking documents (for all folders with documents, of which there is an incredible amount in the accounting company, I had to stick stickers of different colors),
- the costs of purchasing the official texts of the standards,
- the costs of equipping all the rooms that go to the common area of ​​business centers, access control systems (access control and management systems),
- the costs of software ( DLP system, implementation of two-factor authorization, etc.),
- modernization of the hardware of the company (both server and operational),
- additional costs for the data center (s),
- man-hours of employees involved in certification.

image

We strongly recommend that you put a reserve in the budget, since it is extremely difficult to predict all the necessary costs before starting the project.

Thus, at the start of the certification project, we experienced a very large amount of anger - fortunately, in the end we managed to cope with this. :)

Read also:

5 stages of inevitability of adoption of ISO / IEC 27001 certification. Denial : misconceptions about certification of ISO 27001: 2013, the desirability of obtaining a certificate /
5 stages of the inevitability of acceptance of ISO / IEC 27001 certification. Anger: Where to start? Initial data. Expenses. The choice of provider.

More articles:


All Articles