ISO 27001 Certification – From Doubter to Believer

My first ISO experience

Early in my technology career I encountered ISO. My employer was compelled to map and document every aspect and process of the business to gain the necessary certification. It was an arduous and lengthy task, and by the end vast numbers of ring binders were left straining from the reams of paper within. If you ever wanted to understand how the business functioned operationally, it was in there; that is, if you had the time to navigate through the hundreds of divider tabs.

Was there value?

There is no question that it was a useful process: inductions were easier, efficiencies were found, and, in theory, the frequency of repeating the same mistakes was reduced. But in many respects it was the physical nature of the documentation that constrained the associated potential benefits. ISO needed the agility to change and evolve, it needed an index and search, and it really needed the cloud.

The doubter

So, many years later, I was dubious about repeating the certification process again for StrategyBlocks. We (the whole team) all retained an open mind and stayed focussed on the benefits to our customers. StrategyBlocks stores our clients’ strategic plans, their vision for the future, and communicates a roadmap of how, as a team of people, they will get there. It is their “secret sauce” to gaining greater efficiency, improved performance, and market advantage. This means information security is of paramount importance for StrategyBlocks.

What is the ISO 27001 Certification?

Simply put ISO 27001 is an internationally recognized standard of how to implement and manage information security. At its core is the Information Security Management System (ISMS), and its goal is to describe, manage and ensure the protection of information assets.

I learned much about ISO 27001 as we went through the certification process, and found that in practice it was about risk analysis and mitigation. It works by presenting 114 Controls grouped into 14 Categories (soon to be reviewed and updated late 2022), and each are considered based on their applicability and accepted level of risk. They are then linked back to a range of processes, procedures and policies that describe how the control is managed internally. It is supported by a range of registers to ensure the system is maintained and changes are tracked.

The believer

StrategyBlocks received its ISO 27001:2013 certification in September, with some great support from our auditor Rod Lawrence and our consultant Kaizen. It was less of an audit and felt more like engaging with a specialist business advisor (many thanks Rod).

However, it really helped to be well organized internally–many processes were already in place but the audit brought them together and identified any gaps. Choosing to utilize the cloud for real-time documentation collaboration, inter file linking, indexing and search greatly helped. Unlike my early experience with ISO, today it is far more accessible to staff, giving the whole team the ability to access proven tested practices quickly.

Final thoughts

ISO certification is not to be taken lightly. It is a sizable project in its own right, and it should be because its value comes from its attention to detail. But the business must be flexible enough to adapt and the culture accepting of the ongoing change that results from it.  Thanks again to our team for embracing the change and our external partners for helping us along the way.