We initially wanted to obtain ISO 27001 so we could claim certification in tenders and project bids. Having successfully completed the process, we have have found it to be a thoroughly useful exercise, questioning areas in our organisation that we hadn’t previously considered.
What does the ISO 27001 certification mean?
Having ISO 27001 certification means that Zengenti has audited and assessed all of its procedures, processes, and systems in relation to information data security and that we will continue to do so as the landscape changes. It is no longer an exercise in ticking boxes – it has become part of our core processes. It influences everything we do – from hiring new team members to deploying servers.
For example, what happens if someone walks past a window to one of our offices and photographs something that one of our developers has on screen? As I write this post, on my laptop while travelling on the train, I am glad that we have put in place some procedures for working on a laptop in a public place. It is so easy to leak information through a screen – something I hadn’t considered in detail before we went through the process.
What does certification involve?
When you run through the processes for ISO 27001, you are forced to look at everything you do from a slightly different angle, exposing weaknesses you’d never dreamt of.
I think we were in a pretty good position before we started, nonetheless it has probably taken 50-60 man-days of time to get officially certified, just taking into account documentation and meetings. This doesn't include the time it has taken to actually make changes. It will take a couple of days a week, spread across a number of people, to stay on top of changes and improvements to ensure we stay in the right place. We also decided to enlist the help of an external consultant who had worked with us previously on the ISO 9001 standard.
There is nothing exceptionally difficult, it’s just very detailed. You may even need to make major changes which means you are going to need commitment from the top of your organization and be open to change.
Changes we have made include migrating services to two new data centres as our existing suppliers were not certified. This was costly, probably totalling 6 man-months of work to date.
If someone says they are ISO 27001 certified, it is important to ask what the scope is – they could have just certified their accounts department, but not the rest of the business. This may well be common in very large organisations. We certified everything we do.
Is it worthwhile to gain certification?
We entered into the certification process thinking that nothing would change, but it has, and for the better. In a highly technical business, it’s easy to say that we understand a particular process intimately, particularly when we have senior people who are highly technical. We were surprised by how many small details are so easy to miss but vitally important.
From our point of view, we feel it was very worthwhile and a great investment for the future. We achieved certification in just over 6 months.
We are thinking about looking at IL2/3 so we can host for certain police and central and local government organisations. However, this looks like a lot of work – and possibly a backward step in terms of certain technologies. We like to be on the cutting edge. We’re led to believe that for IL2/3 accreditation we would have to run VMWare ESXi 4, which is ancient now. We will only consider it if we can keep up the same high level of service and resilience.
If anyone wants to discuss the process, drop me a line. We’re always happy to offer any advice where we can.