Make ISO27001 Security Certification Work In Your Favour
by Matt Born, CTO and Co-founder at Trade Ledger™
With only three weeks until we flip our calendars to 2018, many of you probably have started year-end business reviews, and building plans for next year. When you lay out your pipeline and forecast, you may notice there is one that you are not sure about: ISO 27001 certificate. Your strategic customers in the financial industry may have indicated they love your solution, but if you want them to sign the deal, take you enterprise-wide, or go global, you will need to show them the certificate or its equivalent ASAP.
If this sounds familiar, this article will help answer some questions you may be asking. We are going to share with you how we maximise the benefits of ISO 27001 certification by using it as a practical tool to integrate security into our daily work, and make ISO more than just compliance. We hope you can find some ideas to make ISO security work in your favour as well.
Security vs Security Compliance
In spite of being bombarded by news headlines about cyber attacks and security breaches almost every day, security still does not often make reach the top of the priority list for entrepreneurs and innovators. And don’t even mention security compliance. Let’s agree on some basic terms first: Security vs Security Compliance.
According to SANS Institution, Security (aka. Information Security) refers to the processes and methodologies which are designed and implemented to protect …confidential, private and sensitive information or data from unauthorised access, use, misuse, disclosure, destruction, modification, or disruption.
In contrast, security compliance is about being able to demonstrate a good security state against some standards, internal policies and external requirements from customers and regulators.
ISO 27001 is only a good investment if you do it right
No one can deny that a good security state is important to our customers. And we need to be able to demonstrate how we actually achieve a good security state. We believe that ISO 27001 certificate is not only an effective way to demonstrate it, but it also helps build customer trust, and removes hurdles that may prevent you from winning more business.
Unfortunately, it’s very common to see organisations treat compliance certification as a box-ticking exercise: difficult, burdensome and meaningless. This perception led to a divergence between Security and Security Compliance, and saw organisations who engaged in ‘box-ticking’ miss out on real benefits from ISO (building a robust security risk management program). Worse, with no benefits, they still bore the cost of the exercise—time and money they might have instead invested in building their better products and services.
Frankly, we would suggest these organisations to stay away from ISO until their mindset is changed.
Our mindset shift
We recently embarked the ISO certification project with an aggressive timeline of approximately 3 months. We are tracking very well to complete the certification.
Five months ago, we were actually in the similar position as many of you. The team was not sure when and how to prepare for the ISO certification process.
Undoubtedly, our No. 1 Accelerator was assigning an owner.
Specifically, we assigned ownership to someone who deeply understands the security compliance landscape of financial industry, and who proactively advocates for baked-in security for DevOps: our Security Engineer. Our Security Engineer also explained that ISO 27001 is not meant to be a security-control bully, but a tool for robust security risk management and governance. This nuance helped the team embrace a risk-based approach for security management.
Managing risks is what entrepreneurs do every day. The essence of security risk management is very similar. For us, instead of creating some artificial risk appetite, we asked ourselves a series of questions: How much risk the business is prepared to take? How likely is the application service and customer data to be compromised due to security weaknesses in people, process, technology and the cyber threats? We made sure that we took a long-term view and aligned our risk appetite to the business’s trajectory and ambition. From there, we worked out a meaningful risk-management strategy that supports us in meeting the security requirements of our local and global customers.
In addition, our Security Engineer has facilitated and performed a series of exercises (such as internal cloud security reviews, threat modelling and external app penetration testing). Instead of guessing, we use real data to understand differences between our objectives and our as-built environment. Once our business-aligned risk appetite and management strategy was clear, risk mitigation and triage became much more straightforward to the team. At the same time, we started to see the convergence between Security and Security Compliance.
We are convinced that we have a really good story to tell (and great evidence to show) ISO auditors regarding our management of security risks. One thing worth noting is that before we pulled the trigger and booked in auditors’ time, we also engaged a reputable security consultancy to provide guidance while we were navigating the process for the first time.
What works for you will also make ISO auditors happy
Now, you may ask, “Shouldn’t ISO auditors tell you what security controls you must implement to pass the audit?” The answer is “No! Not at all.”
Forget about ISO certification for a minute. As a business owner, you need to be comfortable about how you manage risks and customer expectations. You know your business and your risks better than anyone. If you are happy, and if you can show auditors why there is no reason for them to have any objection, they will be happy too. ISO auditors will only have problems when you say you do A, but you actually do B.
Now we are getting to the convergence between Security and Security Compliance that we alluded before. That’s the secret for making ISO work in our favour, and for avoiding a documentation nightmare.
We formalise security controls, processes and tools around DevOps process. In other words, we only adopt the security controls that are mission-critical in supporting DevOps. The documentation naturally becomes lean, and doesn’t live in some isolated Confluence space, or secret folder or Jira Board hidden from the sight of DevOps team. Instead, it’s part of the same assignment system and backlog that the team uses. We have a near zero tolerance for any documentation or process that’s created only for the sake of compliance.
If you’re ready to plan your own ISO 27001 certification, five tips will help you get off to a healthy start.
1. Start the conversation early
Consult with a security consultancy early to sketch out an effective project plan if you don’t have much experience dealing with ISO 27001. Make sure that you select a consultancy who has track record of successful ISO implementations for organisations of your size. Smaller firms are typically more pragmatic, and can help you avoid unnecessarily lengthy documentation.
2. Say no to cookie-cutter solutions
A cookie-cutter solution typically leads to full adoption of all 114 security controls from the standards to every aspect of your business. That’s ineffective and inefficient. Remember, ISO 27001 is about risks and how your organisation manages its own risks. Scope out your key business processes and identify mission-critical security controls for your ISO certification.
3. Aim at sustainability to avoid burying yourself in documentation
ISO certification is not a once-and-done activity. It’s an ongoing process and should be embedded into your operational processes. So, build something that’s sustainable, otherwise ongoing ISO certification itself could introduce a risk of capability management. Don’t confuse must-have with nice-to-have security controls.
4. Prioritise risk mitigation solutions that will go a long way over patch work
Keep risk in mind when selecting technologies, and architecting designs for software and infrastructure. Adopt security engineering principles in software development process to avoid retroactive fixes after applications are in production.
5. Engage the team and bake security into everyone’s work
Don’t make security a bolt-on feature, or security compliance a box-ticking exercise. If security is treated as an integral part of the DevOps team’s workflow, it will no longer be confined to a silo where it causes a compliance burden that neither adds value to the business nor improves security.
Find ways to take more control over your ISO 27001 certification, and turn it into a good business investment. Fellow fintech startups: it’s time to act.