We’ve just got our ISO 27001 certificate. Wipes brow

Was it worth the trauma? In hindsight, yes. Getting ISO 27001 certified shows we’re serious about keeping our client’s data safe.

The process was a headache. Don’t let that put you off implementing ISO 27001, however. It really might be worth it. Understanding our experience should make you better prepared.

If it leaves you more confused, sorry. Maybe give us a call?

It’s useful. Up to a point. Trying to standardise security for EVERY business has its limitations.

Whether we can prove we didn’t turn off the standard browser or web filters and whether that makes anything we do more secure is still up for debate.

But honestly, having set processes to check how we actually deliver our work makes daily life a lot easier. Everyone knows what to expect, and that’s a huge relief. And turns out it actually makes things more secure!

How much does ISO 27001 certification cost? You’ve got fees for the certification body, potentially consultant fees and the expense of dedicating your team to the project.

After certification, you need to maintain and continually improve your Information Security Management System (ISMS).

That’s regular internal audits, annual checks from the certification body and tweaks to your ISO 27001 controls. We might just start a certification body next!

It should be worth it in the end. If you can’t justify the expense with added value in your client delivery, it’s probably not right for your organisation.

It took 6 months to get us certified. Felt like years during certain periods.

If you’re a larger organisation, it will take a year (or more). But getting your ISO 27001 certificate is much easier when the team is smaller. This allows the Information Security Management System (ISMS) to grow with the organisation and slot easily into everyday work.

For a large team spread out over several offices? Changing how everyone works would be a nightmare. That’s probably why these projects often drag for years. Not for the faint of heart!

Encryption. Incident Management. Communications security. Compliance. The idea is that you can pick such so-called “controls” if they make sense for your organisation.

We left out some ISO 27001 controls we thought weren’t needed, but the auditors told us we had to include them anyway.

This caused some heated discussions… it sometimes felt like we were just ticking boxes without any actual impact on our security. But hey, nothing’s perfect, so we ticked the boxes and moved on!

Don’t ever question the definition of “vulnerability”, trust us.

However, the biggest issue to start with was that we didn’t understand how the Statement of Applicability (SoA) fits with the risk register. The SoA is a document that lists all the security controls we’re using and why we chose them.

Turns out, it’s important. It shows how we address those specific risks we identified. For example, using controls to identify risks makes total sense. Take “physical security” – the risk here is that an employee loses their laptop. What impact does that have? What do we do about it? Panic?

In the end, you’ve got a robust plan to mitigate all these risks. We got confused about how to connect this with our risk assessments. It was awkward.

Properly linking these two helps make sure that all our security measures are justified and effective.

Getting our ISO 27001 certificate has been tedious. It made proof-reading this article one of the favourite things on our general to-do lists.

But we did it, and we believe it was worth it because like we said before, the investment is justified if it actually makes your services better.

Just remember, it needs more commitment than a gym membership in January.

Want to chat about it? Message us.