Expectation
The first question we asked after choosing a certifying authority and a consultant was how long would it take for us to make all the necessary changes?
The original work plan was scheduled so that we had to meet in 3 months.
Everything looked simple: it was necessary to write a couple of dozen policies and slightly change our internal processes; then teach the changes to colleagues and wait another 3 months (so that there are "records", that is, evidence of the functioning of the policies). It seemed that that was all - and the certificate was in our pocket.
In addition, we were not going to write politicians from scratch - after all, we had a consultant who, as we thought, had to throw off all the "correct" templates for us.As a result of these inferences, we set aside 3 days for the preparation of each policy.
The technical changes also did not look intimidating: it was necessary to set up the collection and storage of events, check whether the backups comply with the policy that we wrote, re-equip the ACS cabinets, where necessary, and some other little things.
The team preparing everything needed for certification consisted of two people. We planned that they would be engaged in implementation in parallel with their main responsibilities, and each of them would take a maximum of 1.5-2 hours a day.
In summary, we can say that our view of the forthcoming volume of work was quite optimistic.
Reality
In fact, of course, things were different: the policy templates provided by the consultant turned out to be mostly inapplicable to our company; there was almost no clear information on the Internet about what and how to do. As you can imagine, the plan to "write one policy in 3 days" failed miserably. So we stopped meeting the deadlines almost from the very beginning of the project, and the degree of mood began to slowly drop.
The team's expertise was disastrously small - so much so that it was not even enough to ask the right questions to the consultant (who, by the way, did not show a lot of initiative). The case began to move even more slowly, since 3 months after the start of implementation (that is, at the moment when everything should have been ready), one of the two key participants left the team. In his place came a new head of the IT service, who had to complete the implementation process in a short time and provide the information security management system with all the most necessary from a technical point of view. The task looked daunting ... Those in charge began to get depressed.
In addition, the technical side of the issue also turned out to be "nuanced". We faced the task of global software modernization both on workstations and on server hardware. While configuring the system to collect events (logs), it turned out that we did not have enough hardware resources for the normal functioning of the system. And the backup software also needed upgrading.
Spoiler alert: As a result, the ISMS was heroically implemented in 6 months. And no one even died!
What has changed the most?
Of course, in the process of introducing the standard, a large number of small changes occurred in the company's processes. We have highlighted the most significant changes for you:
- Formalization of the risk assessment process
Previously, the company did not have any formalized risk assessment procedure - it was done only in passing as part of overall strategic planning. One of the most important tasks solved within the framework of certification was the implementation of the Company's Risk Assessment Policy, which describes all stages of this process and the persons responsible for each stage.
- Control over removable media
One of the significant risks for business was the use of unencrypted USB flash drives: in fact, any employee could write any information available to him on a USB flash drive and, at best, lose it. As part of the certification, the ability to download any information to flash drives was disabled at all workstations of employees - recording information became possible only through an application to the IT department.
- Superuser control
One of the main problems was the fact that all employees of the IT department had absolute rights in all systems of the company - they had access to all information. At the same time, no one really controlled them.
We have implemented the Data Loss Prevention (DLP) system, a program for monitoring employee actions that analyzes, blocks, and alerts about dangerous and unproductive activities. Now notifications about the actions of the IT department employees are sent to the mail of the COO of the company.
- An approach to organizing information infrastructure
The certification required global changes and approaches. Yes, we had to upgrade a number of server equipment due to the increased load. In particular, we have allocated a separate server for event collection systems. The server was equipped with large and fast SSD drives. We abandoned the software for backups and opted for storage systems that have all the necessary functionality out of the box. We took several big steps towards the concept of "infrastructure as code", which saved a lot of disk space by not backing up a number of servers. In the shortest possible time (1 week), all software on workstations was upgraded to Win10. One of the issues that the upgrade solved was the ability to enable encryption (in the Pro version).
- Control over paper documents
The company had significant risks associated with the use of paper documents: they could be lost, left in the wrong place, or improperly destroyed. To minimize this risk, we have marked all paper documents according to the degree of confidentiality and have developed a procedure for the destruction of different types of documents. Now, when an employee opens a folder or takes a document, he knows exactly what category this information falls into and how to handle it.
- Lease of a backup data center
Previously, all company information was stored on servers located in a third-party secure data center. However, there were no emergency procedures in this data center. The solution was to rent a backup cloud data center and back up the most important information there. Now the company's information is stored in two geographically remote data centers, which minimizes the risk of losing it.
- Business Continuity Testing
For several years, our company has had a Business Continuity Policy (BCP) that describes the procedure for employees to act in various negative scenarios (loss of access to an office, epidemic, power outages, etc.). However, we have never tested continuity - that is, we never measured how long it will take to recover a business in each of these situations. In preparation for the certification audit, we not only did this, but also developed a business continuity test plan for the next year. It is worth noting that a year later, when we were faced with the need to fully switch to remote operation, we coped with this task in three days.
It is important to notethat all companies preparing for certification have different starting conditions - therefore, in your case, completely different changes may be required.
Employee reaction to changes
Oddly enough - here we expected the worst - it turned out not so bad. It cannot be said that colleagues received the news about certification with great enthusiasm, but the following was clear:
- All key employees understood the importance and inevitability of this event;
- All other employees were equal to key employees.
Of course, the specifics of our industry helped us a lot - outsourcing of accounting functions. The vast majority of our employees do an excellent job with constant changes in the legislation of the Russian Federation. Accordingly, the introduction of a couple of dozen new rules, which now need to be observed, did not become something out of the ordinary for them.
We have prepared a new mandatory ISO 27001 training and testing for all our employees. All obediently removed the stickers with passwords from their monitors and dismantled the tables littered with documents. No loud discontent was noticed - in general, we were very lucky with the employees.
Thus, we have passed the most painful stage - "depression" - associated with changes in our business processes. It was difficult and difficult, but the result ultimately exceeded all the wildest expectations.
Read the previous materials from the cycle:
5 stages of the inevitability of the adoption of ISO / IEC 27001 certification. Denial: misconceptions about ISO 27001: 2013 certification, the feasibility of obtaining a certificate.
5 stages of inevitable adoption of ISO / IEC 27001 certification. Anger: Where to start? Initial data. Expenses. Choosing a provider.
5 stages of inevitable adoption of ISO / IEC 27001 certification. Bargaining: preparing an implementation plan, assessing risks, writing policies.
5 stages of inevitable adoption of ISO / IEC 27001 certification. Depression.
5 stages of inevitable adoption of ISO / IEC 27001 certification. Adoption.