Case study: ISO 27001 Certification Implementation in an IT System Integrator Company

ISO 27001 Certification ., ISO 27001 Certification
ISO 27001 Certification

For any real change in our lives, regardless of whether expert or individual, there are questions that surfaced before venturing out. Here are only a couple of the inquiries that you may look before settling on the choice to implement the ISO 27001 Certification:

  • Why do we requirement the certification?
  • Where do we begin?
  • Do we have enough assets – regardless of whether labor, money related, or technical?

In this article I will attempt to address the inquiries above from my own understanding.

Do we really need to implement ISO 27001 Certification, and why?

Working in the ICT (Information and Communication Technology) industry, you as of now utilize the greater part of the systems for security of electronic information and records, get to control, physical security, and so on., so you are likely inquiring as to whether you truly need the ISO 27001 certification.

You may not know about this, however the ISO 27001 Certification itself brings increased the value of your organization – other than the way that you may require the authentication (e.g., in light of the fact that possibly it is a piece of the conditions to partake on a delicate, to get some upper hand, and so forth.), the confirmation procedure will give you a technique to all the more likely comprehend your business, business dangers, shortcomings, and how to improve.

At our organization, after a long brainstorming gathering examining whether we required the endorsement – an official conclusion was that we ought to pull out all the stops.

Implementation process

We chose to actualize the ISO 27001 Certification utilizing our very own assets, alongside materials we could discover on the web, without counseling any master.

The initial introduction was: “This will be simple; we as of now have enough information on most of the points, and we can undoubtedly get ready for the certification.”

We began with the sections that we were most acquainted with: get to control, cryptography, physical and environmental security, tasks security, and correspondence security. We read the materials for these sections and our reasoning was: “alright, we as of now have all these actualized.”

We proceeded with the hazard appraisal, and we began inquiring about on hazard evaluation strategies, and this stage was something that we truly didn’t envision. The OCTAVE approach, the Risk Management Guide from the National Institute of Standards and Technology, various spreadsheets that we found on the web, hazard proprietors, chance figuring – out of the blue, it resembled somebody began communicating in a language that we didn’t get it. Having knowledge in ICT security, it was anything but difficult to characterize the dangers, however we didn’t know what to do promote on – proprietors, computations of the hazard, what is satisfactory hazard, and so on. Gatherings, conceptualizing, more data and layouts found on the web approached a great deal of time squandered and still no answer.

Lessons-learned, i.e., implementation tips

It was another and intriguing knowledge; we adapted new things, we committed errors, and we improved. Thus, what we’ve scholarly is the following:

(1) Start with the risk assessment

In spite of the fact that you may think (as we did) that you will abbreviate the usage time frame on the off chance that you begin with the parts that you know, the consistent route is to begin with:

  • The hazard appraisal, at that point
  • The association of information security inside your organization, and afterward
  • A rundown of every one of your records and resources, with clear meanings of their privacy levels and significance, so as to get ready sufficient security controls.

You can’t get ready systems for security of the data and resources on the off chance that you don’t completely comprehend the dangers. You should know that it is practically difficult to give a 100% secure condition, so you should break down how much the data/resource is worth to you, the amount it expenses to be verified, and whether the expenses are satisfactory thinking about the estimation of the information /resource.

2) Do not fall for first-impressions

It’s an outstanding platitude, yet for our situation the usage procedure truly uncovered to us that it isn’t sufficient to realize every one of the issues with respect to information security. So as to accomplish the certification, we required careful investigations of the dangers and our business forms.

3) Use documentation templates and toolkits.

We saw every one of the controls great, however we confronted a major issue when we needed to structure and compose the methodology. You can buy documentation toolboxs that will give you layouts of organized methods that are effectively movable to your needs, and will remove the weight of such desk work – which designers by and large loath getting ready.

4) Have an expert on “speed dial.”

We trust in the “in-house advancement” approach, yet we perceive that we never would have completed the execution without assistance from a specialist.

5) Include your top management.

Continuously incorporate top administration in the basic leadership process. Regardless of whether you are long-lasting worker and you needn’t bother with the executives endorsement – you will require their contribution to break down business forms and uphold the techniques

Analyze your resources

For a little organization with up to 20 workers, a group of three people helped by a specialist can effectively execute the standard in four months.

Exhaustive investigation of the present specialized assets must be finished up so as to have exact data on the accounts expected to actualize the standard. For our situation, we had effectively executed the majority of the foundation for security of the electronic information, physical security, and access control, yet some minor speculations for physical security of the printed copy material were required.

The greater part of the organizations working in the ICT field have additionally effectively executed great security controls for their electronic information and physical access. Thus, if your organization is one of those, you will really not confront a noteworthy money related effect.

You will face good and bad times in the usage procedure. Be that as it may, so as to succeed, you ought to consistently have at the top of the priority list that, toward the end, you will have a great deal of advantages. What’s more, remember to ask specialists when things begin getting to be indistinct – it might raise the usage costs, yet will assist you with finishing it.

Read Related Blog – 

Certificación ISO 9001
Certificación ISO 14001
Certificación ISO 22000
Certificación ISO 26000
Certificación ISO 27001
Certificación ISO 37001
Certificación ISO 45001