Tackling ISO 27001 – Insights and Advice

By Eddie Beaton on 12th January, 2015.

Obtaining ISO 27001

Following the introduction of a new management team, Secura took the decision to begin the process of obtaining ISO 27001:2013 certification.

The main reason for this decision by the senior management team was to be able to demonstrate to the market that the implementation and service delivery teams in Secura Hosting operate to the highest security and service management standards. This process also allowed the senior management team to identify areas of improvement for the business based on the guidelines in ISO 27002:2013.

This article aims to give an insight into the process involved in obtaining the certification and to offer other businesses who are thinking of going for certification some useful and practical advice. Furthermore, it will provide details on the effectiveness of developing an Integrated Management System Manual and how this works with the other ISO certifications that Secura has attained, namely ISO 9001 & ISO 20000-1. Finally, the article will provide some useful insight for those who are thinking about an ISO certification including: where to start, the audit process, structuring your documents, time-scales and how to use a consultant.

Secura’s ISO strategy

Within the UK Cloud Hosting market ISO accreditations are a key tool in demonstrating to potential customers that the company is a robust and efficient operation. They provide reassurance that the customer is selecting a supplier with the appropriate processes and controls in place to effectively and securely supply the services offered.

At Secura, the culture and attitude towards ISO is disseminated from the senior management team all the way through the organisational structure. Secura has found that ISO standards are a much more of a useful tool when integrated into processes and controls within a business rather than aligned directly alongside it. All of the operational processes and controls within Secura are designed to comply with ISO requirements but based on what we do on a day-to-day basis. Simply, this is the most efficient method of adopting ISO certifications as we meet the standard simply by doing the jobs at hand.

Useful Points for First Time Adopters

Below are a few useful pointers on getting started with adopting any of the three ISO certification’s Secura has obtained (as well as quickly figuring out whether it’s for you!)

Internal vs Outsourcing

You may consider initially whether you could outsource the process of obtaining the certifications. Perhaps the biggest piece of advice we could give is that it is essential to recognise that the business must provide sufficient and appropriate staff resource to ensure that the processes and controls are effectively implemented throughout the business, the biggest resource being senior management.

Consideration should also be given to whether the attitude toward ISO would change if the responsibility for administering the processes and controls fell to somebody outside of the company. The risk is that there could be an atmosphere of no accountability within the company and that ISO is rejected rather than embraced by all staff. Knowledge (of the standards) is power and having a workforce that all understand the requirements and why processes are done in such a way is one of the key objectives of the ISO certifications. It is also rigorously tested at the internal and external audits!

We decided to use an experienced consultant to work with us and his main role was to:

  • Advise us on the structure of the documentation pertaining to our internal systems and to review the documentation prepared by us, to ensure they complied with the requirements of the ISO’s
  • Advise on exclusions of certain parts of the standard deemed not relevant to our company (these will become clear!)
  • Perform the internal audit (probably the largest part of the consultancy cost and something we would highly recommend)
  • Draft certain documents very specific to ISO (The Integrated Management System Manual)
  • Administer & record the annual management review
  • Ensure we had sufficient evidence to demonstrate the implementation of the systems for the certification audit

Secura’s management team and staff found that this balance was just right and that everybody within Secura understood why things are done in a specific way.

The Team

You will need to nominate a management representative who will effectively be the individual in charge of the ongoing process of ensuring the organisation meets the requirements of the standards. This doesn’t necessarily need to be a member of the board (but is ideally a member of the senior management team).

You will also want to consider who is best suited to take on the role. The ideal candidate is someone who has good attention to detail, understands or has experience with internal controls and obviously some degree of team and project management skills. The individual should also have good visibility over the whole company.

The size of the team depends on the complexity of your ISO scope. The business could be a FTSE 100 but if the company operations are focused on one sole task, then it is fairly simple. However, if the company has several different types of operations with different requirements then the job becomes larger.

Document Structure

Document structure is key to ensuring that the process of obtaining certification is smooth and structured. Most companies will have several different manuals (or handbooks) that will state company policies on various matters as well as detailing the processes and controls within a business. These documents will provide the basis for your documented ISO systems.

ISO 27001 requires you to create a Statement of Applicability (SOA). This document is not technically required for all standards, however, our experience is that the document is well worth producing for all standards being obtained. The document effectively bridges the standard to the company policies, processes and controls that ensure that the specific requirement of a standard is met. We found that the Stage 1 audit by our UKAS accredited certification body was structured and driven through a review of these SOA’s. This SOA also acts as a referencing guide from the standard to the policy or process applicable to the standard.

Application of the Integrated Management System Manual

The Integrated Management System Manual (‘IMSM’) describes the structure of the documentation for several ISO standards and how the company complies with them.

ISO certifications are designed so that each certification is autonomous. Naturally, similarities arise from each certification which can lead to vast amounts of duplicated documents when addressing each standard.

The key benefit of adopting an IMSM is to reduce/eradicate this duplication and to streamline the processes and controls within the business, while not hindering the business from meeting the requirements of the standard.

When drafting the IMSM, Secura found that the areas where the IMSM could be applied to cover all three of the ISO certifications being obtained generally related to higher level, more generic areas.

Some examples of this are:

  • Leadership and commitment
  • Objectives of the company
  • Responsibilities within the company (in particular, covering the management representative role)
  • Operational planning and control
  • Company resourcing
  • Internal and external communication
  • Awareness of stakeholders with regards to ISO
  • Documented information (including documentation creation & update of records)
  • Performance measurement
  • Internal audit commitment and procedure
  • Management review policy
  • Contact with authorities & special interest groups
  • Information security

Time Scales and Cost

Time scales and cost will vary based on a number of factors: size of business, number of business units and resource etc. Secura managed to complete the process from initial engagement with our consultant to certification in 4 months. This, by any standards, was very quick. The key reason we were able to complete the process so quickly was due to in-house expertise with ISO certifications and the approach of our consultant. It is important to point out that it is not essential that the in-house experience be solely on one individual certification. Whilst the certifications do differ, the process of analysing and interpreting the standards are very similar. Therefore, if there is experience in-house not strictly related to the specific certification being sought, it is still very helpful.

There are several elements to consider when reviewing the financial cost of obtaining the certification.

There are the isolated financial costs such as:

  • Consultancy costs
  • Stage 1 and Stage 2 audit
  • Annual audit costs

Furthermore, there are hidden or ‘sunk’ costs to consider:

  • Senior management time
  • Staff training
  • Implementation of new or revised systems and processes
  • Continuous training and management of processes

The Secura compliance team found that the best source of cost assessment is an initial discussion with your consultant.

Drawing on experience of working with different types of companies in different industries will allow comparisons to me made, including:

  • An assessment of initial audit cost (usually based on the number of days the audit will take)
  • An assessment of the on-going audit cost
  • An assessment of the number of consultancy days
  • An assessment of the internal operations of the business and their complexities
  • A review of the current documentation and a GAP analysis to make these acceptable for the standard (this will give an idea of ‘sunk’ costs the business will incur)

Final Thoughts

We believe that proper planning is the key to ensuring the process runs as smoothly and efficiently as possible. Starting with a simple GAP analysis between where you are now and where you need to be, will ensure that you do not duplicate a process you already have in place.

It’s important to remember that as a business considering going for ISO, the chances are that you already have a lot of the systems, processes and controls in place, it will simply be a case of documenting the process and ensuring you can provide evidence at the audit.

In terms of whether it’s right for you or not, put yourself in your customer’s shoes and consider if you would see benefits in your business being accredited. This is perhaps the easiest test to ascertain whether the costs can be justified.

A Big Thank You

I’d like to say a big thank you to Peter Kay from Peritus Management Consultants for both his support during our audits and his invaluable advice and guidance while writing this article. You can contact Peter by telephone on 07714 088801 or by email at peterk@peritus.uk.com.

Eddie Beaton

Chief Financial Officer

As CFO, Ed makes sure Secura's finances are run like a well-oiled machine. He also monitors excessive stationary usage like a hawk, swooping down on offenders with alacrity.

Tweet me at: