When making any strategic decision for their company, employees go through a basic defence mechanism, well known (thanks to the author E. Kubler-Ross) as the 5 stages of responding to changes. The outstanding psychologist once described emotional responses, highlighting the 5 key stages of emotional response: denial, anger, bargaining, depression, and finally acceptance. We have prepared a series of articles on ISO 27001 certification, in which we will look at each of the stages. Today we will talk about the first of them – denial.
Obtaining an ISO 27001 certificate “just for the sake of appearance” is a highly doubtful pleasure because the required preparation is long and expensive. Moreover, as evidenced by statistics , this standard is extremely unpopular in the Russian Federation: today, only 70 companies have completed certification for compliance. At the same time, abroad it is one of the most popular standards that meet the growing demands of business in the field of information security.
Our company provides the full range of services for accounting outsourcing: cost and tax accounting, payroll accounting and HR Administration services. We hold a leading position in the market, in particular owing to the fact that we are trusted with confidential information by foreign companies that have divisions in Russia. This includes not only our clients’ financial processes, but also personal data, with which we work on a daily basis. In this regard, the issue of information security is one of our priorities.
Often, all business processes of Russian divisions are controlled and declared by the head offices of foreign companies, and therefore they must comply with internal groupwide standards. Today, the requirements for existing information security in the company have started to appear in tenders of foreign customers. In order to simplify verification and unify the approach, some customers set a mandatory evaluation criterion, which is the presence of ISO/IEC 27001 certification.
Recently, some of our key clients have started to review their security policies with a view to tightening them. This is certainly due to worldwide trends of an increase in the number of cyber-attacks and losses associated with information security incidents.
When there is a need to implement security features, policies and procedures aimed at the enhancement of a company’s information security, it is possible to do without ISO/IEC 27001 certification, and therefore, to save a lot of money, time and anxiety.
We faced this: one of our key international clients certified to this standard appears to have significantly enhanced its global information security team. How did we know about this? They decided to conduct an audit of our information security management system, because we provide them with accounting services and HR administration services – and, consequently, the security of our information systems is of critical importance for them. The previous audit took place 3 years ago, and at that time everything was quite painless.
This time, we were attacked by a united team of Indians, who deftly identified several dozen defects in our security management system. The audit process was like the wheel of Samsara – it seemed that they had no goal to reach some final point within the framework of the inspection. It was an endless track of questions, notes, our comments and evidence that they were true, conference calls and lengthy philosophical conversations in an attempt to recognize the accent of the client’s IT security team. By the way, the audit continues to this day with various degrees of intensity – over time, we have come to terms with this. Therefore, the need for certification is ripe in and of itself.
All those who are more or less versed in the issue of certification for any of the ISO standards understand that the basis for each of them is the ISO 9001 certificate “Quality management system”. Now, this is probably the most popular certificate from the entire range of ISO standards. We did not have it – and we decided not to obtain it. There were several reasons for this:
– we doubted the economic effectiveness of the company having the certificate;
– our internal processes for the most part were already close to this standard;
– obtaining this certificate would have required additional time and money.
Consequently, we decided to directly implement ISO 27001, not starting with the “easier” 9001.
Looking ahead, we have turned back many times to the question of whether it is expedient to obtain it. We started to study the issue from all sides, because we had absolutely no expertise. And here are the misconceptions that made us think about this question once again.
Misconception No. 1.
We hoped that the standard would provide us with a detailed checklist, a list of policies and other statutory documents. In fact, it turned out that ISO/IEC 27001 is a set of requirements for the information security management system itself and the organizational process. Based on these, it was necessary to independently decide what to write / implement in our company to meet the requirements of the standard.
Misconception No. 2.
We truly believed that it would be enough for us to examine one document and implement it on our own within quite a limited timeframe. In our real-life practice, reading the document, we realized how many related standards are touched upon by our standard, and how many standards we need to familiarize ourselves with (at least superficially). The final flourish was the lack of the latest texts of standards that were openly accessible – they had to be purchased on the official ISO website.
Misconception No. 3.
We were sure that we would find in public sources everything we needed to prepare for certification. There were actually quite a lot of materials on ISO 27001 on the Internet, but there were quite a few specifics in them. There were almost no understandable step-by-step instructions for preparing for certification, and nor were there real cases of companies that had implemented this standard.
Misconception No. 4.
We will write policies, and they will not work! Well, it’s true that our company already has too many rules, so nobody will observe another three-dozen new policies. Our actual experience, fortunately, was that our employees took a responsible attitude towards the task of learning new rules and successfully passed the test for knowledge of the documents of an information security management system.
Misconception No. 5.
At that time, we could not clearly assess what benefits we would obtain from the labour investment we were making. At that moment, the number of requests for us to have this certificate was not so large, and we had a key and especially demanding client long before certification. Experience had shown that we managed without a standard.
At some point, we realized that we were randomly shutting down one breach or another owing to the client’s requirements. Every time we came up with some new policies or solutions. And we finally came to the conclusion that it would be much easier to systematize the process, which would even save a large amount of labour commitment in the future. The standard was designed to simplify this task.
Now, two years later, we see a trend of an increasing number of requests concerning this issue and heightened interest in it from major international clients.
In conclusion, we would like to say that the leaders of our industry obtained the ISO/IEC 27001 certificate, which made all other large providers (including us) think about this question. Undoubtedly, it can be considered a nice bonus to be able to include a beautiful line in the company’s marketing materials (on the website, on social networks, in advertising brochures, etc.), but is it worth expending so many resources for this alone? We decided for ourselves that, for us, it is more than just a beautiful line in our marketing materials, and became engaged in this project.