5 stages of inevitable adoption of ISO / IEC 27001 certification. Bargain

The third stage of emotional response to change is bargaining. Having dealt with our anger and emotional component, we began to think about what really needs to be done in order for everything to work for us. It's time to study the standard in more detail, apply it to our current situation and adapt its requirements for our company. Here it was important to do with "little blood" while meeting the requirements of the standard. Any changes had to be adequate - that is, commensurate with the corresponding risk. The cost of protection should not exceed the possible damage from the realization of the risk.



image



On this path, we had to solve many questions that we had never encountered before:



Choosing a tool for working on a policy library



The first (seemingly very simple) question that we faced is where to create and how to store all the necessary documents of the information security management system? It was extremely important for us to preserve the versioning of documents and be able to "roll back" the version of the policy several revisions back. After reviewing the offers on the market, we settled on the Confluence wiki - and we use it to this day.



We could use git as a versioning system (version control), but for the convenience of users, we chose a portal solution (Confluence). We managed to limit ourselves to the free version (up to 10 authorized users): we didn't need any more, since unauthorized ones could view the library.



Preparing an implementation plan



Here we did not apply any creative methods - we simply asked our consultant for a list of necessary policies, appointed responsible persons for their writing and approval, put down key dates and made it all in the form of a Gantt chart (which was also uploaded to Confluence).



Company risk assessment



Obviously, in order to choose the means of protection, we needed to assess the risks (in order to spend resources only where it is really needed). To do this, we created a list of company assets that we plan to protect - it included both physical assets (workstations, servers, paper documents, etc.) and intangible (client information in electronic form, passwords, etc.) ).



With the help of an expert team, each asset was assigned a specific value. Further, we linked to each asset one or several risks to which this asset may be exposed (for example, paper documents may be stolen, destroyed, etc.). Then we evaluated the significance of each risk as the product of two parameters: the probability of the risk and the significance of the consequences of the risk realization.



After the risks were categorized into groups, we understood which of them we should work with in the first place:







1. Gaps in the knowledge of employees



The most common risk was the human factor. In addition, we were certified for the first time, so we had a question of teaching the basics of information security. Having already developed the program, we faced the problem of automating this process and controlling the residual knowledge. As a result, we began to use the testing system that we have built into our corporate portal.



2. Lack of backup computing power



This problem required large financial and human resources, so it was wrong to leave it at the end. We have selected a site for backing up our main services: at the initial stage, we used IaaS (infrastructure as a service), which allowed us to quickly and budget set up the reserve of the company's main services; later we purchased additional equipment and set up a reserve in a separate data center (co-location). Subsequently, we abandoned the β€œcloud” solution in favor of the data center due to the large amount of data.



3. Control over "super-users", as well as over those who work with "special, sensitive" information



In other words, we needed to establish control over users who have extensive access to confidential information. We solved this problem with the help of a DLP system. We chose the domestic software StaffCop due to its reasonable price and good technical support.



Writing policies



Here we have connected all possible resources:

- used the policies of other companies that were found in the public domain;

- requested examples of policies from our implementation consultant;

- composed the texts of policies independently, based on the requirements of the standard.
In the end, it was the third (most difficult path) that worked best. It took quite a long time, but at the end we received well-drafted documents, specifically for our company. So at the exit we got 36 basic policies of the Information Security Management System .



Distribution of roles



Obviously, not all of these policies were really necessary for our employees in their daily work. In order not to force them to read too much, we did the following: assigned each employee one or more roles in the ISMS. There were 5 of them in total:







Absolutely all employees had at least one role - β€œuser”.



In the passport of each role, we prescribed the corresponding responsibilities in the field of information security with the attachment of a list of policies that an employee with a particular role had to comply with. Also, for convenience, we have made a graphical organizational structure of the company indicating the roles of each employee on it.



Involving colleagues



In addition to the project manager and the head of the IT / IS department, the COO of the company was involved in assessing the risks and describing the requirements of stakeholders. It took significant involvement of the Head of HR department - she needed to describe in the policy the full life cycle of the employee: from the application for a vacancy to the period after his dismissal. Fortunately, all our colleagues understood the importance of certification and went to meet us.



Technical aspects



During the preparation process, we realized that in order to meet the requirements of the standard, we need at least the following:

  • Move servers to an external data center;
  • Equip all offices with ACS (access control and management system).
In the future, many other things were added to these two points: the introduction of a DLP system, the launch of a backup data center, the introduction of two-factor authorization, etc.



Thus, in order to adapt the requirements of the standard to our company, we had to do quite a significant amount of work.



In previous materials:



5 stages of inevitability of the adoption of ISO / IEC 27001 certification. Denial : misconceptions about ISO 27001: 2013 certification, certification desirability /

5 stages of inevitability of ISO / IEC 27001 certification. Anger : Where to start? Initial data. Expenses. Choosing a provider.



All Articles