Almost every IT company has data security as the cornerstone of their business and will do whatever it takes to handle data with care. The new GDPR, which came to life last May, has put data security on a lot of agendas around the world. However, lots of companies still haven’t formalized the processes and are dependent on the developer, and his or her skills, that is working on the project. ISO 27001 can really help companies make this step to the next level.
Setting the Scope
The scope is one of the first subjects that is defined when companies start to create their ISMS. The scope is a key component because it sets the boundaries of the Management System. Therefore, it is crucial to clearly define the scope to describe the parts that are covered by the ISMS and which aren’t. However, be honest with yourself and don’t “trick” the system. It is always possible to state a very narrow scope and claim that the company is certified. This actually happens more often than you would think.
The ISO 27001 certification is a great way to formalize the internal processes. The requirements force you to think about all kinds of actions you have to take in order to secure your customers’ data. Being a startup ourselves, this is the main reason why we started the process of getting compliant to this standard. It allowed us to create a concise way of working among the team and get this assessed by an external party on a yearly basis. Especially when you start to grow, this structure can give quite a lot of guidance. Furthermore, the internal audits give room for checks and balances to improve the system.
The structure also makes you less dependent on certain people and their mindset. However, it is important that the processes are not too rigid and that people don’t start to feel like machines. They need to have enough room to make their own decisions. This is quite a tricky balance, but it is important to get it right.
Structure the Data
Lots of data is generated and this information is needed to stay compliant to the standard. It is crucial to structure all the information. Of course, we use our own platform to structure the ISMS. All the processes, audits, NCR’s, actions, risks and other registers are combined on the platform. This allows us to directly see our status of compliance and where we need to take action. Furthermore, we can immediately see which we actions we can take to run the company more efficiently.
A Big Shortcoming of the Standard
As an IT company that is moving quite a large number of data for its customers, we do find the standard a great way to get structure to the process. However, when it comes to data security there are some flaws in if you ask us. The standard doesn’t say anything about Penetration Testing. You are required to have some kind of testing mechanism, but that can be just a unit test. Penetration Testing is crucial for finding security flaws. Developers and Ops aren’t always able to identify all the bugs and/or wrong settings, and that is why external white hat hackers are so important for finding these security flaws. Yes the lack of Penetration Testing makes the standard more broadly applicable, but it makes it less secure.
The ISO 27001 can help bring the company to the next level from a data protection point of view. The structure it gives and the awareness it creates with respect to data protection helps to get this topic on top of everybody's mind. However, structuring all the data is crucial to running a smooth and value-added ISMS.
Despite all the advantages, never ever get certified for the wrong reasons because you will end up with a lot of work which doesn’t seem to add a lot of value. Only go for certification if it brings your company to the next level.