5 стадий неизбежности

5 stages of inevitability to accept ISO/IEC 27001 certification. Anger.

5 stages of inevitability to accept ISO/IEC 27001 certification. Anger.

PUBLICATIONS \ 17.03.2020

The second stage of the emotional response to changes is anger. This corresponds to our stage of dealing with difficulties in the initial preparation for certification – this is what our current story is about.

We started the path to the certificate with the following initial data:

  • timeframes of certification: as soon as possible;
  • budget: the smaller the better (but with everything still being done properly);
  • team: 1.5-2 people (a Project Manager + periodically participating employees from the IT Department and management);
  • knowledge of the team in the area of information security: nothing great.

Doesn’t look very impressive, does it? We had no idea how many difficulties we would have to face in the course of our work and how many serious decisions we would have to make.

We do not know anything at all!

One of the main difficulties was that no one in our company had sufficient expertise in the area of information security. None of the employees had any professional certificates or relevant experience in implementing an information security management system. This was quite alarming: can we handle it? Maybe we need to receive some training first? Or do we need to hire a person who already has such experience (spoiler – there are very few of them on the market, since there are 70 valid certificates for the whole country)? Indeed, we can hire a consultant, but how can we assess his or her professional qualifications if we do not understand anything about it?

Looking ahead, we can say: even with such initial data, the problem was quite solvable. The main thing is that the team has logic, common sense, and a clear understanding of why the company needs certification.

Can we just “google” it?

We really did not have expertise, but in the age of modern technologies, we can access almost any information – for free or for a very cheap price. Therefore, at the outset of the project, we thought that we could easily find on the Internet all the information necessary to prepare successfully for certification, as well as easily download samples of all the necessary documents. 

Our actual experience was that it turned out completely different:

First of all, we didn’t actually understand exactly what we needed to “google”. 

Secondly, everything we found that was freely accessible was very ill-defined – there were no specifics, no real cases.

Thirdly, all the sample documents that we found on the Internet were completely irrelevant to our company. And even in English, there were almost no understandable step-by-step instructions and cases of companies that had successfully completed certification. Therefore, we had to find the path to the certificate on our own.

At what end should we begin to unravel the tangle?

After an intensive search for information on the Internet, we realized that we should first decide on:

  • the certification authority;
  • a certification consultant (because we don’t really have expertise – and we need to find someone who already does);
  • the technological tools for developing and maintaining the system (in our forthcoming articles we will outline this important point in more detail).

The first two are the key counterparties for certification, and they should be chosen very carefully (which is precisely what we did). Therefore, the first thing we decided to focus on was holding two tenders to choose these key counterpartie

How to choose a certificating authority?

Of course, the choice of certification authority depends on the reasons that incentivized you to engage in preparing for certification. If you have reached this point in the article, it is likely that you need a certificate not just for the sake of appearance – otherwise you would have already used the services of companies that offer to make a certificate after an hour and for 10,000 rubles. Consequently, you should focus on certification authorities that have extensive international practice and are accredited in the countries you are interested in.

There are not many companies in Russia that are ready to certify you according to the ISO 27001 standard – we selected about 10 worthy participants for the tender. The key criteria for the choice were:

  • the availability of international accreditations,
  • a portfolio of clients and recommendations from them, and
  • price.

It’s surprising that we received a disparity of almost 10 times for the last point! At the same time, some of the participants of the tender stated that they could only provide us with a foreign auditor. This automatically meant completing the certification audit in English, which for us, actually, was not a great problem, since all key employees are fluent, but for some it can definitely become a problem.

Later, we learnt that there are very few specialists in our country who can conduct a certification audit according to this standard. Almost all of them work for several certificating authorities and are familiar with each other.

How to choose a consultant to prepare for certification?

Now, there are quite a lot of companies offering services related to preparing for certification. However, not all of them can really help. Some of them, in fact, just send you policy templates where you need to insert the name of your company, without delving into your business processes. Naturally, this approach will not help you with certification.

Conceptually, there are 2 solutions to the problem:

  • The consultant prepares all documents on a turnkey basis. This approach, of course, will allow the entire burden of preparation for certification not to be unloaded on your employees. However, there is a risk that your processes and procedures will not be documented accurately.
  • The consultant checks the documents prepared by your employees. It is likely that the quality of documentation will be better here, since it will be prepared by those employees who are familiar with the processes.

When preparing for certification, we followed the second script. Based on our experience, we can give you some advice on choosing a consultant for certification:

  • Ask for recommendations of consulting companies from the certification authorities participating in the tender you are holding – this is how we found our consultant;
  • Discuss in advance and fix in the contract the scope of work, as well as the liability of each party;
  • Keep in contact with the consultant regularly throughout the whole period of preparation for certification – this will save time and avoid the need to restructure large pieces of documentation.

OK, but is everything all right now?

In the process of collecting the materials that were necessary to prepare for certification, we found out some amazing things. For example, the fact that ISO 27001 is tied in with some related standards (which should be read at least superficially).

For example, these are standards such as:

  • ISO 19011 – Guidelines for auditing management systems
  • ISO 22301 – Business continuity management systems 
  • ISO 31000 – Risk management. Principles and guidelines
  • ISO 27003 – Methods and techniques of security support. Information security management systems

The above list is fundamental, but not comprehensive. Every company forms a list based on its own needs. We chose not to “discover the continents again” and, for example, relied on ISO 31000 and ISO 19011 in matters of, respectively, risk management and the auditing of management systems. The ISO 27003 auxiliary standard has helped us with its related information on implementing 27001. But most of all we worked with ISO 22301, which is necessary for describing the part of policies that are responsible for the business continuity plan (BCP) (spoiler – if you refer to a specific standard in your policies, you must purchase the text of this standard and make it available).

The final flourish was the lack of freely available up-to-date texts of these standards.  If you would like to familiarize yourself with the content, you have to buy the official text on the ISO website for around 10,000 rubles.

How much will it cost?

In preparation for the start of the project, naturally, we decided to calculate how much the certification would cost us.

Spoiler: for a company of 100 people with 3 offices, we spent approximately 1 million rubles (and this does not include the cost of employees’ hours –we just decided not to count up this terrible figure!).

In our case, the overall expense structure for certification looked like this:

expenses for the fee to the certificating authority,

– expenses for the consultant’s fee for preparing for certification,

– travel expenses of the auditor,

– hospitality expenses,

– expenses for marking documents (all folders with documents, of which there are an incredible number in an accounting company, had to be have stickers of different colours stuck on them),

– expenses for purchases of official texts of the standards,

– expenses for equipping all premises that are included in the common area of business centres, ACS (access control systems),

– expenses for software (a DLP system, the implementation of two-factor authorization, etc.),

– modernization of the company’s hardware (both the server and “operation” hardware),

– additional expenses for the data processing centre(s),

– staff hours of employees involved in certification.

We strongly recommend that you include a margin in the budget, since it is extremely difficult to predict all the necessary expenses before starting the project.

Therefore, at the start of the certification project, we experienced great anger – fortunately, in the end we managed to cope with this. 🙂