Did you miss the live webinar with our CEO, Edwin Bartlett, as he discussed the journey to business security, and 10 simple steps to ISO 27001 certification? Good news - we saved the recording for you. You can also find the transcript in full below.
Good afternoon and welcome to the Hicomply webinar. Today, we'll be looking at how a business can start the journey towards information security, and in particular through the implementation of the ISO/IEC 27001 framework.
But before we get started, I'd like to introduce myself. I'm Ed Bartlett, the CEO and co-founder of Hicomply. And I'm delighted to see so many people here today, and look forward to the live Q&A after the presentation.
State of Cybersecurity
So maybe the first place to start is to look at where we are as an industry. And where cyber and information security has got to in the last year or two. It's fair to say cybersecurity is a space that relies on fear to create action, very much a big stick approach. There's always a guy in a hoodie, looking to steal your data, hack your business, there's always a threat of fines.
It’s also fair to say that we can't ignore information security - we need to do something about it. It’s very much the case that the risks associated with cyber are ever increasing, and the financial impact and damage that they might cause is ever increasing. The reputational damage of things going wrong is ever increasing. The legal frameworks and the governance frameworks that have been established are all focused on reducing and understanding cyber risks even further.
But there is a flip side. With a big stick approach, the opposite approach is always the carrot. And I'm going to take a little bit of a look, first, at the alternative angle, before we get into the ISO framework.
Advantages For Businesses
So the carrot - or the pogo stick in this case - what I'd like to really introduce here is the positive incentive for businesses to do something about information security. The first of these is, without doubt, the competitive advantage that this can give a business.
Probably 80% of the businesses that we talk to are focused on how they can acquire more customers through having a better security posture. And this comes out through questionnaires in tenders, qualification for RFPs. And it's very much a differentiator in a market where, with enterprise customers in particular, their needs are increasing in terms of cyber and information security, and they're passing that down to their supply chain. So, as a supply chain provider of a service or a product or a solution, it's where we can gain a competitive advantage.
Certainly in my own experience, thinking back to how my journey started towards Information security back in 2011, I was the co-founder of a business called Kykloud and my CTO and co founder of that business, Nick Graham, had implemented the security framework 27001 at a previous business. And we were planning on how we were going to grow the business, how we were going to scale that business. And this is back when we had probably no more than five staff.
We had a long conversation or debate about, at that stage, committing the time and resources to gaining security certification. I wasn't that convinced at the time, I have to say. It felt complicated, it felt time consuming. But we went ahead with that strategy. And the second customer that we were able to acquire after getting our business certified was a significant value customer, government, enterprise customer. That one contract was transformational for that business.
We were able to qualify for the government frameworks like the government G-Cloud framework. And it really opened my eyes to the competitive advantage that it was providing. And, at the time, this is back in 2012, 2013, 2014 even, it wasn't really seen as something that a young, particularly young technology business would even think about. So we saw the benefit. But we did also see the complications and the time and effort involved in achieving that certification.
And that's really where the idea for Hicomply was born. But it's not just about tenders, it's also about being able to access new markets, new sectors, new geographies where perhaps information security is more focused or more heavyweight in terms of what customers are looking for. But it can also improve customer retention, in that building that framework, that information security framework can mean that customers aren't exposed to breaches and problems, and ultimately customers will stay with you if they feel secure.
On top of this sort of sales and competitive side of things, we are increasingly seeing benefits come through what I call strategic business benefits. What we're talking about here is making your business more attractive to investors and improving your ability to raise capital and raise investment.
Certainly, we've seen that raising capital ourselves that your investors traditionally may have looked at your finances may have looked at your HR and your IP intellectual property. But maybe, in the past, didn't go as far as looking at the detail around information security, whereas investors today will ask those difficult questions. And if your IT platform, your systems, your processes aren't robust, it will be something that is exposed during a funding or an acquisition process.
We talked a little bit about risk already. But certainly, you know, really what we're talking about here is being able to demonstrate that you can secure your own business data, but also your customers’ data, and build that trust between yourself and your customers. Ultimately, that will reduce the likelihood of data breaches, fines. Protecting your own information assets, but also those of your customer. And feeding on from that, that strong culture of understanding around information security will ultimately give you a business that is more attractive to your employees, and also retaining staff.
I think it's become a real clear litmus test for employees looking at their business and seeing “how secure, how credible is the business that I work for, how seriously does this business take information security?” I think these things are without doubt on the agenda of people looking at opportunities and an ever increasing competitive environment where the best people are difficult to find, and hire and retain. These are things that we can that we can do to make a difference.
These aren't about the information security protocol itself or the framework. This is about how you embody that into your business, how you take it seriously, and ultimately, it becomes a measure of that seriousness and that posture that you display, both internally and externally as a business.
So, having said all that, how do you go about putting something in place? We would always, every time look to the gold standard in information security, which is achieving ISO 27001 certification.
It's the gold standard in many ways, because it's international in its reach. But secondly, it has embodied many developments up until the latest standard released in 2013. And in fact, a new version of the standard is due this year. We’ll touch on that later, probably in the Q&A.
But this standard is one that any business can get hold off. And any business can implement in a relatively cost-effective and reasonable timeframe if the right approach is taken. What I mean by that is understanding how you go about developing the framework.
10 Steps To Achieving ISO 27001 Certification
We have 10 steps, which we're going to talk through today, but really we're talking about, firstly, it's about getting the right people picking your squad in terms of the people who are going to drive this through your organisation, understanding what an information security management system is, and how it should be scoped to be relevant to your organisation because every business is different. Every organisation has different information security risks and opportunities.
So, once you've looked at the scope and how it's relevant, you move into a phase of developing your asset registers, identifying the information assets that your business owns and what you want to protect. You then move into doing risk assessment and risk treatment and risk remediation, which is a critical and probably the least understood part of the process. This is something that we've worked hard at simplifying and automating, and it's something we'll touch on later. And then the policies and procedures that the business wants to implement.
Under ISO 27001, there are mandatory policies and procedures. And there are additional policies and procedures that you might want to implement as a business. It's a case of building that policy and procedure framework. And again, that's something that we found, can be automated and streamlined significantly saving significant amounts of time and effort.
Step six, you're moving into the development of the statement of applicability in the statement of applicability is really where, against the controls within the ISO standard, you set out how those controls are applicable to the business and how they will be monitored over time. Once you've established that statement of applicability, you move into monitoring and preparation phase, preparing the business for the internal audit, which will typically something can be done with your own team, but by somebody who's got an independent perspective.
And then moving through into your learnings from the internal audit will steer you towards the final stage of the external audit. But, in between the internal audit and external audit, there's a need to monitor the business, collect the relevant evidence, so that when you come to that audit, you've got a clear and documented set of evidence, controls, documentation to demonstrate to a third party independent auditor that the business has implemented the standard and secondly, is taking seriously.
Ultimately, it's not just about implementing the standards. It's how you live and breathe a standard over time. So what we're going to do now is move into a brief overview of each of these steps and move forward through to a Q&A session afterwards.
Step One: Choose Your Squad
So taking the first stage of the framework, we're very much focused on people and picking the right squad. The standard is pretty specific in that, as a business, you should look to define the correct, sufficient resources to implement, maintain and improve the information security management system over time. The size of that team and the number of people will very much depend on the size of the organisation. Typically, the team structures are built along the lines of your existing business framework. So, your engineering team, customer services team, commercial team, etc.
A relatively small technology business would be able to manage this process with a couple of key members of the team supported by departmental heads as and when required. It really does depend on the size of the organisation. Another key thing to consider is that the standard isn't just about one or two people driving the process, it's also about getting in place whole business compliance. And by that we mean there is a requirement for a wide ranging group of people in the organisation to review documentation and demonstrate compliance against policies and procedures that you need to roll out across that business.
It's important that the ISMS can be accessed and available to potentially everybody in the organisation. That’s something that can be a real barrier when trying to do this in a traditional document-driven environment. It's also important to think about identifying your both your internal and your external auditors very early in the process. Certainly, external audit bodies can need a couple of months’ notice to be ready to come in and do those audits. It's something that we have seen in the past - organisations leaving that to the till too late in the process and then seeing delay when they're actually ready to go to audit. That's something that we can, we can support organisations with as well.
So, picking the right team, first step.
Step Two: Scope Your ISMS
Second step is all about the scope. The ISMS scope itself is where an organisation will determine the relevance and the scope of information security management system to be deployed. There's some fundamental minimum requirements of the scope, for example, identify internal and external issues, requirements of interested parties, dependencies, any interfaces, if you outsource key information services or services that mean your intellectual property or information assets are passed over between different organisations.
But fundamentally, it's about determining how the standard is relevant and where it's relevant. What you determine is relevant and in scope, ultimately, no matter where or how, or by whom this information is accessed, it becomes something that must be protected under the scope of the standard and through information security processes that you develop. It's fairly critical that the scope also takes account of latest legislation, which is a constantly-moving area to address. It’s something that we have automated in terms of giving our customers an easy, step-by-step, workflow-based approach to building the scope.
It's something that we find that organisations can do on their own without very specialist advice. And it’s something that often engenders interest, something that actually gets the whole team motivated. At that time, you would start to look at the planning and timelines and the process in terms of what your objectives are, in terms of when you want to achieve certification.
Step Three: Create Your Asset Register
The third step is about assets. Assets, by definition could mean many different things to many different people. In the context of an information security management system, it's about identifying assets that are relevant in terms of assets that hold information or intellectual property, or assets that have an impact on those assets. So, it can be a primary asset which might be data you hold on behalf of your customers. But you also have some physical assets such as access control systems and network control that have an impact on how those primary assets are protected.
The asset register process is well documented in the standard under annex A.8. And, critically, the asset management process is about first building an asset register and then determining ownership, responsibility, classifying the assets, addressing what assets are involved in, media handling, where those assets exist. And it's something that we've seen best tackled through a level of automation. So we’ve built libraries of the most typical assets found in different types of organisations, and streamlined the building of that asset register, which can be quite a time consuming process.
Most organisations hold an asset register in an Excel spreadsheet, but we find that it's much more effective to build that asset register in a linked way, so that the assets don't live on their own, they're actually linked to the risk register, they’re linked to policies and procedures, they linked into the scope of the ISMS itself.
Step Four: Undertake Risk Assessments and Risk Treatment
Once the asset register is built we're then looking at the risk assessment and risk treatment processes and individual tasks within an ISMS. Fundamentally, risk assessment is a must-do under an ISMS, particularly the ISO standard. The requirements are quite well documented, probably one of the most heavily documented areas within the standard, under clause 8.2, clause 8.3 and clause 6.1. The standard sets out a requirement for the risk assessment process itself – how you go about looking at an asset, what are the vulnerabilities, the threats and the actions associated with remediating those risks.
It's about the risk assessment that and the treatment of those risks, but also how to how you address those. And it's also critical that the process is fully documented. As you can see, in this example, on the screen, we've got an example of a risk register, where we have the risk profile before treatment and after treatment.
Using this five by five grid, you've got assets that are low impact, low probability, and those that are high impact, high probability. The idea is to move your reds through the risk treatment process, move your reds down to amber or green, if you can. If the risk is not something that can be moved - there are always risks that will remain red. It's about how you how you manage those risks, and how you how you put in place policies and procedures associated with that.
Step Five: Implement Mandatory Policies and Procedures
That takes us quite nicely on to that next phase, step five, where the policies and procedures are put in place to help the business manage and implement the ISMS. This is the ‘how to’ element of the standard. And it's very much about addressing the documented information required under an ISMS. But it's also about making it part of the business.
This is where, through evidence and the monitoring phase, a business will be expected to demonstrate that not only have you implemented a policy procedure, but that you're living by it and you're using it and it's been it's being implemented into your day to day business processes, which is really critical.
Under the standard, there are 15 mandatory policies and 13 mandatory procedures. So there are a minimum of 28 policy procedure documents on top of that there are additional record documents, associated records that will need to be collected.
Really critical here is the control and sign off process. An automated platform really comes into its own here. We’re talking about document management on quite a large scale, we're talking about information points, for example, that you've picked up in your scope, that needs to be cascaded through all of your policies and procedures. We’ve seen that by automating the library creation, but also the edits, updates and maintenance of policies and procedures is something that can easily see, save, and organise, saving an organisation £20,000-£30,000 a year in cost alone.
And also worth highlighting that the documentation is alive. There’ll also always be specific policies and procedures that that you may want to add. Our approach has been to give our customers a ready-made industry expert written set of documentation. We’ve found that a lot of documentation policy and procedures that you can buy off the shelf often require a lot of customisation, a lot of rewriting, and often are overly complex and not particularly well written.
So I think one flag here would be: whatever process or system you adopt, just take a look at a few of the policies and procedures and just look at how usable and readable they are, how easy they would be to implement in your organisation as a bit of a litmus test and a way of assessing the relevance of that approach to your organisation.
Step Six: Create Statement Of Applicability
And then we're looking at how we take on all the steps we've just been through. How do we make them applicable? This is really where we implement the statement of applicability (SoA). The statement of applicability is where you will implement the information security controls, set out under the Annex A of the standard. There are 114 controls. It's really the link between the risk assessment work you've done, and the treatment that you have said the business will apply.
So this is how you make the rest of the outcome of the risk assessment come to life, but it's also how you manage and control the applicability of the standard throughout the three year typical life cycle of achieving the standard and being recertified. This is something that'll be critical to the audit, and also critical to demonstrating to external auditors that that the standard has been properly implemented.
T6Our approach has been to give onboard guidance, a workflow that takes the user through each of the controls the objective of the control, determining whether it's applicable, but with guidance to help you understand what the objective of that control is – because if you don't understand the objective first, you wouldn't necessarily know if it was applicable. And also the justification and the description of any controls that you put in place.
Step Seven: Monitor And Prepare For Internal Audit
Ultimately, by implementing this SoA, there'll be a series of tasks and follow-on activities that will come out of the process, and that's really what is then monitored over time. It’s this phase of monitoring and preparation. It’s important to consider that, typically, we're talking here about a programme of work over a year as an end to end process.
Under the standard itself, there is a there is a procedure that you would develop that determines what tasks that you'll undertake, what weekly activities what monthly activities, what quarterly activities. For example, you will typically have an information security management forum to be conducted on a regular interval, typically on a monthly basis. You will be documenting the outcome from those forums, you'll be undertaking access control reviews, supply chain reviews, and in all cases, the results will be documented.
But it will be important to have a clear plan of what tasks are going to be implemented over the period that you're looking at. Again, these are things that will be implemented on the run up to internal audit, but they would then roll over to being the day-to-day management tasks going forward.
We often get asked by customers, “Okay, how much works involved after you've been certified in terms of maintenance of the standard versus the first year of activity?” It's fair to say that these ongoing tasks will repeat year two, year three. But it's important to think about how these can be efficiently managed. This is a critical part of our approach. It's looking to task manage out all of the steps of the process from day one, and manage those through use- friendly task engines, through Gantt charts, links to the diary, links to required reading all that sort of thing.
This is so that everybody in the organisation knows what they're going to be doing on a weekly, monthly, quarterly, biannual basis, and everybody's fully aware of their role and their responsibility in that process.
Step Eight: Undertake Your Internal Audit
Once that monitoring initial task phase has been implemented, we’re talking about step eight. We're talking about the internal audit. Under the standard, the requirements of the internal audit are set out under clause 9.2. Critically, they need to be conducted at planned intervals. We would automate the auditing schedule out in advance. It’s critical that they be objective and impartial, and the criteria of the scope would need to be determined beforehand.
So, based on the scope and the outcome of the statement of applicability, the audit scope would be determined. And our model is, in a very similar way to the SoA, to look at each stage of the audit giving clear, real time updates in terms of where the organisation is in terms of their status, what the objectives are. For example, looking at 8.2 information security risk assessment, what is the objective of that requirement? Under the standard, the control? What guidance are we giving to the management team, the organisation in terms of how they, how they respond to that?
Then it's a case of the findings and tasks being logged through that process. But by providing an organisation with a user friendly manner management tool, where they can set out the requirements of the audit and undertake the audit is a huge time saver. Ultimately, the outputs of that have to be presented to the external auditor as part of that final process. So the documentation and the collection of that is obviously timestamped. It's gathered over time. By going through that process, you're collecting the evidence that will be required at a later stage.
Step Nine: Monitor And Collect Evidence
And then we're looking at preparing for the external audit. In a similar way to the work prior to the internal audit, we're talking about looking at the findings of the internal audit and a remediation plan. So we're saying, “Okay, what did we find when we took that internal audit? What are the observations? Were there any non-conformances or any tasks that need to be undertaken?”
It's about building an action plan or remediation plan from the internal audit into a set of follow on tasks, and building those into any updates to any policies or procedures that were found lacking. It's about how the organisation manages all of the policies and procedures, various processes we've talked about already. How do they live and breathe those on an everyday basis?
This is where the management team needs to be part of this. I think often the process is maybe left to one or two people in the technology side of the business, or the information security team, but it's critical at this stage that everybody understands where the business is. We’ve got to know the outcomes of that internal audit that's been undertaken, and what actions need to be undertaken to get the business ready for that very final stage in the process.
Everything needs to be documented. You can see here we've got a visual of our attached schedule - each of the different colours represents tasks under each of the different strands. And it's not unusual to have a Kanban like this with various tasks and procedures in place, but critical thing is that it can be monitored. It's giving you everything you need in one place, getting everybody up to speed and keeping everybody aware of what they need to do.
Step Ten: Undertake Your External Audit
And then we're talking about the audit. Ultimately this is critical in that it decides on the outcome of whether or not you achieve certification. If all the previous steps we've talked through the nine steps have been undertaken and organised, often the audit isn't the most difficult part of the process. It should be a case of an organisation demonstrating that they are operating their information security management system and the evidence is in place to demonstrate that.
For the initial certification all it takes is a two stage audit process. Once an organisation is certified, there are surveillance audits which happen typically on a 12 month cycle thereafter, with a recertification audit happening every three years. One thing to bear in mind here is when you're looking at your providers of external audits, certainly in the UK, the process itself is very similar to the internal audit, but it has to be carried out by an independent certification body.
Certainly in the UK, we would always recommend using a UKAS-accredited certification body. UKAS itself sits under the IAF, which is the global umbrella accreditation body. There are a number of certification bodies that you could approach and we have relationships and worked with many, certainly through our own certification, but also through working with customers. It’s important to, to work with credible organisations. I think it's important to have those conversations early in your in your lifecycle of, of your ISMS implementation.
One key thing that is not well known in the industry is that, since mid-2020, the IAF has said that digital or fully remote audits are now wholly acceptable. It used to be the case that audits had to be physical in nature, somebody had to physically visit your business, attend meetings at your organisation with key people in the same room, reviewing files and documentation. This change really came about off the back of the COVID pandemic. But also, I think, would have probably moved forward in any event due to digitalisation of processes in businesses and remote operation of many, particularly technology businesses.
When we undertook our audits, we worked with Lloyd's Register for ours. They undertook all of the work they needed to do through remote meetings and remote access through the Hicomply platform. The auditor was given audit user privileges, which limited what they could do in the platform, but a gave them access to the information they needed.
They don't typically download information or need to pull information off, they just need to be able to view, see evidence and see processes and tasks, policies, procedures, and the like are all in place and have been implemented in the organisation.
Achieving ISO 27001 Certification Doesn't Have To Be Difficult
So that takes us through to step 10. There are going to be more steps and stages for more complex implementations. And just highlighting that if you want to follow up on any of the things we talked about today, we've got some great free resources on our website, which you can take a look at hicomply.com. I will finish by saying thank you, and thank you for attending. Thank you for listening today. And I look forward to your questions. I'd be delighted to work with anybody, follow up on any points.
I'm just going to finish with this - our vision. We see a world where all businesses can and should be able to secure their data. An environment or a world where businesses are not excluded from markets or geographies due to a lack of customer trust. Ultimately, if we can build that trust between customers and providers, technology, whatever that might be, we will all be in a more safe and secure business environment.
So thank you, and let's hand it over for questions. Thank you very much.