Discussion
Do you look more positively on a company if you're considering a significant B2B purchase and the supplier has an ISO27001 information security certification (or require this)?
We've recently got this and it feels to me like the process to has been time consuming and resulted in writing lots of documentation. However, no concrete changes have been made (either process or technology) that make any (currently not very secure in some cases) systems more secure.
We've recently got this and it feels to me like the process to has been time consuming and resulted in writing lots of documentation. However, no concrete changes have been made (either process or technology) that make any (currently not very secure in some cases) systems more secure.
The conversation went thusly.
US: Hello Mr Customer, thanks for that job you have just given us. As per our previous discussions around ISO27001 I am delighted to tell you that we have just achieved certification against the standard, I can send you a copy of the cert if you like or it is now on our website under news.
Customer : Fabulous, can you quote on this work that I couldn't talk to you about before because you didn't have that?
It should be noted that I had tried for about 5-6 years to get board approval to spend the money on getting audited and had implemented the standard as it was at the time so there were no big changes in our security profile or processes. As part of our implementation processes there were some changes to documentation and a few policy tweaks but all small beer really.
We spent about £100k over 6 months in getting accredited for the whole business which included multiple sites.
I know I make it sound simple but it almost was as easy as that, this was probably 10-15 years ago though and the customer was a bank that wanted us to do some processing of their data for print campaigns.
US: Hello Mr Customer, thanks for that job you have just given us. As per our previous discussions around ISO27001 I am delighted to tell you that we have just achieved certification against the standard, I can send you a copy of the cert if you like or it is now on our website under news.
Customer : Fabulous, can you quote on this work that I couldn't talk to you about before because you didn't have that?
It should be noted that I had tried for about 5-6 years to get board approval to spend the money on getting audited and had implemented the standard as it was at the time so there were no big changes in our security profile or processes. As part of our implementation processes there were some changes to documentation and a few policy tweaks but all small beer really.
We spent about £100k over 6 months in getting accredited for the whole business which included multiple sites.
I know I make it sound simple but it almost was as easy as that, this was probably 10-15 years ago though and the customer was a bank that wanted us to do some processing of their data for print campaigns.
having worked with a lot of banks and their data I could tell you some stories about how they managed data and their approach to security when it suited them!
But in this instance they had been pushing for us to get accredited, it was on the vague promise of that work i got the approval. Having said that there was a bit of a rush on of new jobs and new customers having got the accreditation from other customers too.
But in this instance they had been pushing for us to get accredited, it was on the vague promise of that work i got the approval. Having said that there was a bit of a rush on of new jobs and new customers having got the accreditation from other customers too.
purplepolarbear said:
Do you look more positively on a company if you're considering a significant B2B purchase and the supplier has an ISO27001 information security certification (or require this)?
We've recently got this and it feels to me like the process to has been time consuming and resulted in writing lots of documentation. However, no concrete changes have been made (either process or technology) that make any (currently not very secure in some cases) systems more secure.
From the outside I would say yes, but as you have found a lot of this is a tick box exercise, sometimes cumbersome to provide evidence and sometimes you can be pretty vague and still get the accreditation.We've recently got this and it feels to me like the process to has been time consuming and resulted in writing lots of documentation. However, no concrete changes have been made (either process or technology) that make any (currently not very secure in some cases) systems more secure.
I've been involved in delivering ISO27001 and also working with 3rd parties who haven't had accreditation, but because we wanted to work with them we've ended up helping them do the bare minimum to get there. It's good, but as you have found it's not perfect.
I always used to say that 27001 was the easiest accreditation to get because all you have to do is do what you say you do, it doesn't matter how risky that may be - no controls on the firewall - no problem, our risk assessment methodology has been followed and it has been signed off by the board as acceptable and so on and so forth.
Auditors may not like it but according to the standard that is fine (or at least it used to be, it's been a while since i did one!)
Auditors may not like it but according to the standard that is fine (or at least it used to be, it's been a while since i did one!)
There are more and more companies requiring ISO27001 as an easy way to tick a box when assessing suppliers. It can be time consuming, but the process does bring genuine benefits to the business and at the very makes you question your current processes and policies. I think it will only become more important as time goes on as a prerequisite for tendering, and it will always give some leverage over those organisations that don't have ISO 27001.
We probably wouldn't have half the business we do without ISO27001.
We probably wouldn't have half the business we do without ISO27001.
There's ticking the boxes and there's embedding it in your culture.
You can buy an ISO kit for £600 or something stupid off various vendors where you can more or less do a Search & Replace and pop your company name in and you've got all the policies and stuff you need to do ready to go.
The hard part is getting your staff to give a st and actually doing it.
You can buy an ISO kit for £600 or something stupid off various vendors where you can more or less do a Search & Replace and pop your company name in and you've got all the policies and stuff you need to do ready to go.
The hard part is getting your staff to give a st and actually doing it.
bhstewie said:
There's ticking the boxes and there's embedding it in your culture.
You can buy an ISO kit for £600 or something stupid off various vendors where you can more or less do a Search & Replace and pop your company name in and you've got all the policies and stuff you need to do ready to go.
The hard part is getting your staff to give a st and actually doing it.
Which is the problem.. you may "get it" initially based on your shiny new policies.. but if its not embedded in how you operate, you will then lose it when it comes up for audit.You can buy an ISO kit for £600 or something stupid off various vendors where you can more or less do a Search & Replace and pop your company name in and you've got all the policies and stuff you need to do ready to go.
The hard part is getting your staff to give a st and actually doing it.
And in truth, the real benefit to you asxa business is in thinking what do each of the controls mean in terms of your business, and operations, and what is appropriate and proportionate, and making an informed risk based judgment on it, and doing it.
So you need to do it in a manner which is sustainable for you.
All easy words to type and say i know
Does anyone have any experience with how "minimal" can you make 27001? - i.e. how far can you go in saying you tolerate the risk in an area that you're not comfortable being audited against and hence only have a few vague controls that don't really ensure you've "good security" but can easily be audited.
I think we have some confusion between senior management who think it's an easy to obtain marketing tool and IT who think we need to implement a list of best practices in all the areas (and need to do some significant work to beef up a lot of these) and we need to be a bit more clear about what we want this for. My thoughts are to get the certification as simply as we can and then identify risks we want to treat, treat them and gradually strengthen the policies once we've got this.
I think we have some confusion between senior management who think it's an easy to obtain marketing tool and IT who think we need to implement a list of best practices in all the areas (and need to do some significant work to beef up a lot of these) and we need to be a bit more clear about what we want this for. My thoughts are to get the certification as simply as we can and then identify risks we want to treat, treat them and gradually strengthen the policies once we've got this.
simon_harris said:
I always used to say that 27001 was the easiest accreditation to get because all you have to do is do what you say you do, it doesn't matter how risky that may be - no controls on the firewall - no problem, our risk assessment methodology has been followed and it has been signed off by the board as acceptable and so on and so forth.
Auditors may not like it but according to the standard that is fine (or at least it used to be, it's been a while since i did one!)
That's always been so with ISO. I took a company through ISO9001 about 30 years ago, and the advice was "If you put it in your manual, you have to do it. If you don't, you don't."Auditors may not like it but according to the standard that is fine (or at least it used to be, it's been a while since i did one!)
"Say what you do, do what you say".
It really is that simple.
Document your procedures, follow the documented procedures. Ensure that when you're documenting your procedures they include steps that produce an adequate audit trail that shows the procedures have been followed. If you don't do it, don't include it in the documentation.
It really is that simple.
Document your procedures, follow the documented procedures. Ensure that when you're documenting your procedures they include steps that produce an adequate audit trail that shows the procedures have been followed. If you don't do it, don't include it in the documentation.
We looked into this in a slightly different way. We are in the IT industry and we need to differentiate ourselves from smaller companies.
Our target customers are also larger and this I think helps us connect to the right size client.
It didnt really change how we did things internally as we already had good processes in place.
One other reason we did it is that two of our larger clients deal with the MOD. As a supplier to our client, it helped them if we had it.
Our target customers are also larger and this I think helps us connect to the right size client.
It didnt really change how we did things internally as we already had good processes in place.
One other reason we did it is that two of our larger clients deal with the MOD. As a supplier to our client, it helped them if we had it.
purplepolarbear said:
Does anyone have any experience with how "minimal" can you make 27001? - i.e. how far can you go in saying you tolerate the risk in an area that you're not comfortable being audited against and hence only have a few vague controls that don't really ensure you've "good security" but can easily be audited.
I think we have some confusion between senior management who think it's an easy to obtain marketing tool and IT who think we need to implement a list of best practices in all the areas (and need to do some significant work to beef up a lot of these) and we need to be a bit more clear about what we want this for. My thoughts are to get the certification as simply as we can and then identify risks we want to treat, treat them and gradually strengthen the policies once we've got this.
ISO27001 Lead Auditor here .I think we have some confusion between senior management who think it's an easy to obtain marketing tool and IT who think we need to implement a list of best practices in all the areas (and need to do some significant work to beef up a lot of these) and we need to be a bit more clear about what we want this for. My thoughts are to get the certification as simply as we can and then identify risks we want to treat, treat them and gradually strengthen the policies once we've got this.
1) You need senior management buy in. You'll get quizzed on resources, support, why you do it and how embedded information security awareness is in the business. We can tell pretty quickly whether a company wants it for the certification or actually takes it seriously as a best practice framework.
2) It's a risk based standard. You don't write a bunch of policies and procedures, get them ticked off and then come up with a risk register and continual improvement plan. That's a bit arse about face.
Its about Information Security. Identify what you want to keep secure from data loss or hacking. Figure out what the threats are then the risks, prioritise, apply controls to minimise those risks and then reassess what the new risks is.
Come up with an improvement plan to further reduce any high risks.
3) Technically you could have an absolutely minimal set of controls and just accept every risk. One of my colleagues thought of a fictional scenario where he could do just that.
I was taught that every risk needs a control and every control needs a risk or why would you implement it? There isn't a one to one mapping.
4) You can use numerous online tools with templates where you just do a find and replace on <your company name>. They stick out a mile and tend to make everything overly complicated because they have to initially be a one size fits all solution. I can't think of any good ones off hand but they are useful for identifying assets and risks.
5) Not all certification bodies were created equal, and neither are auditors. If they aren't accredited to UKAS they aren't worth their fee.
I find that a lot of companies do it purely for commercial reasons and, after a couple of years, start to get enthusiastic about the way they are held to account and use ISO as a frame work for continual improvement, which is where the certifications score over NIST or Cyber Essentials.
If you want to message me I can give you the names of a couple of consultants I hold in high regard.
CoupeKid said:
ISO27001 Lead Auditor here .
1) You need senior management buy in. You'll get quizzed on resources, support, why you do it and how embedded information security awareness is in the business. We can tell pretty quickly whether a company wants it for the certification or actually takes it seriously as a best practice framework.
2) It's a risk based standard. You don't write a bunch of policies and procedures, get them ticked off and then come up with a risk register and continual improvement plan. That's a bit arse about face.
Its about Information Security. Identify what you want to keep secure from data loss or hacking. Figure out what the threats are then the risks, prioritise, apply controls to minimise those risks and then reassess what the new risks is.
Come up with an improvement plan to further reduce any high risks.
3) Technically you could have an absolutely minimal set of controls and just accept every risk. One of my colleagues thought of a fictional scenario where he could do just that.
I was taught that every risk needs a control and every control needs a risk or why would you implement it? There isn't a one to one mapping.
4) You can use numerous online tools with templates where you just do a find and replace on <your company name>. They stick out a mile and tend to make everything overly complicated because they have to initially be a one size fits all solution. I can't think of any good ones off hand but they are useful for identifying assets and risks.
5) Not all certification bodies were created equal, and neither are auditors. If they aren't accredited to UKAS they aren't worth their fee.
I find that a lot of companies do it purely for commercial reasons and, after a couple of years, start to get enthusiastic about the way they are held to account and use ISO as a frame work for continual improvement, which is where the certifications score over NIST or Cyber Essentials.
If you want to message me I can give you the names of a couple of consultants I hold in high regard.
Apologies to OP for jumping on to this, but CoupeKid could I please pick your brains on this, I tried to send you an email but it says you are not accepting emails. Perhaps you could message me if you are willing to let me ask a few questions. Many thanks in advance.1) You need senior management buy in. You'll get quizzed on resources, support, why you do it and how embedded information security awareness is in the business. We can tell pretty quickly whether a company wants it for the certification or actually takes it seriously as a best practice framework.
2) It's a risk based standard. You don't write a bunch of policies and procedures, get them ticked off and then come up with a risk register and continual improvement plan. That's a bit arse about face.
Its about Information Security. Identify what you want to keep secure from data loss or hacking. Figure out what the threats are then the risks, prioritise, apply controls to minimise those risks and then reassess what the new risks is.
Come up with an improvement plan to further reduce any high risks.
3) Technically you could have an absolutely minimal set of controls and just accept every risk. One of my colleagues thought of a fictional scenario where he could do just that.
I was taught that every risk needs a control and every control needs a risk or why would you implement it? There isn't a one to one mapping.
4) You can use numerous online tools with templates where you just do a find and replace on <your company name>. They stick out a mile and tend to make everything overly complicated because they have to initially be a one size fits all solution. I can't think of any good ones off hand but they are useful for identifying assets and risks.
5) Not all certification bodies were created equal, and neither are auditors. If they aren't accredited to UKAS they aren't worth their fee.
I find that a lot of companies do it purely for commercial reasons and, after a couple of years, start to get enthusiastic about the way they are held to account and use ISO as a frame work for continual improvement, which is where the certifications score over NIST or Cyber Essentials.
If you want to message me I can give you the names of a couple of consultants I hold in high regard.
ayedubya said:
Apologies to OP for jumping on to this, but CoupeKid could I please pick your brains on this, I tried to send you an email but it says you are not accepting emails. Perhaps you could message me if you are willing to let me ask a few questions. Many thanks in advance.
Sorry about that. I've now updated my profile so should accept emails. I'll answer any questions I can .
Gassing Station | Business | Top of Page | What's New | My Stuff