Last Updated on January 24, 2022
When Pivot Point Security decided to pursue ISO 27001 certification in 2015, we assumed it would be a slam dunk. After all, we had been one of the country’s top ISO 27001 consulting companies for nearly ten years. Further, as our CISO and Project lead, I had been an ISO 27001 Certified Lead Auditor for over a decade.
We were half-right in our preliminary assessment. Achieving our ISO 27001 certification was relatively simple. It took time, but we knew exactly what needed to be done and sailed through the certification. Maintaining our ISO 27001 certification was not simple, however. Our first ISMS Internal Audit and Surveillance Audit were humbling. This post shares some of our “lessons learned” as we stumbled over successive milestones.
Don’t Build an ISMS, Operationalize One
What went wrong with maintaining our information security management system (ISMS)? Our focus was on building an ISMS to pass our initial certification. The process of preparing involved executing all of the tasks and generating all of the artifacts necessary for us to achieve certification successfully. Unfortunately, we built our ISMS but didn’t operationalize it. We failed to develop the “project plan” that would detail all of the tasks that would need to occur over the next year to maintain our ISMS. Somewhere around mid-year, that began to become apparent. We cobbled some things together (poorly) and were humbled by an Internal Audit that produced a dozen-plus Nonconformities and Opportunities for Improvement.
An ISMS Project Plan Isn’t Enough
Lesson learned (I thought), we embarked on the second year of our ISMS committed to doing a better job. We put together a project plan for the ISMS, updated our Information Security Policy goals, updated our risk assessment spreadsheets, updated our security metric spreadsheets, and were ready to roll. But things got busy. Pivot Point Security was growing. We had consultants to hire, new systems to deploy, cloud migrations, etc. Our ISMS plan was in Microsoft Project, but it was the only thing that we used Project for that year. Our spreadsheets were on a dedicated SharePoint site that had no other reason for existence except the ISMS. One of our goals to address an OFI was to migrate some systems to a new cloud service provider to enhance their security. But our COO was not part of the ISMS planning process, and we failed to capture that in the budget. Our second ISMS Internal Audit and external Surveillance Audit were once again humbling. Yes, we were notably better, but our baby was still ugly.
Success Comes When You Integrate Information Security into Your Business Processes
Lesson relearned, we embarked on the third year of our ISMS committed to not being humbled this time around. Reflecting on our failures, we realized that we had made the ISMS an appendage to business operations, not an integral component of them. Here is how we got it right:
- We disbanded our security/technology centric ISMS Committee and tasked that responsibility to our Senior Management Team.
- We integrated the ISMS Planning process into our quarterly and annual business planning processes.
- We documented our annual ISMS goals on our Traction VTO in the same way we documented our business goals.
- We documented our quarterly ISMS goals (Rocks) on our Traction VTO in the same we documented our business goals.
- We documented our Security Metrics on our VTO in the same way we documented our sales/marketing/financial metrics.
- We moved all communication/artifacts for the ISMS to Microsoft Teams, where we spent a good part of each day already.
- We moved all tasks for the ISMS to Wrike, where we spent a good part of each day already.
In short, we made our ISMS so central to our everyday activities that it would take conscious effort not to take action on it.
Now Our ISMS is Perfect, Right?
Nope, but I would say it’s gotten pretty damn good. The hardest part to operationalize has been recognizing changes that have the potential to impact the ISMS, and tuning it accordingly. New services you offer, new clients you acquire, new laws/regulations, new hires, new data you are receiving, new technologies you use, new vendors, etc. all need to trigger risk assessment and downstream changes to the ISMS as necessary.
Our 2022 Challenge
We have three big changes planned for our ISMS in 2022:
- Update our ISMS to address the new ISO 27002:2022 standard
- Migrate our ISMS to our new OSCAR platform to take advantage of its workflows and simplify our interactions with internal/external auditors
- Integrate the Cloud Security Alliance Cloud Control Matrix into our ISO 27001 ISMS
Why change when we finally got things working well?
As Winston Churchill said, “To improve is to change; to be perfect is to change often.”
Looking for some related content? Check out this recent blog post regarding the new ISO 27002:2022 standard: What the New ISO 27001:2021 Release Will Mean to You – Pivot Point Security