Part of our business is advising companies that wish to become ISO27001 certificated and we are delighted that two clients recently passed their independent audits with flying colours. Gemserv is an independent consultancy in the energy sector while Easynet is a network management and hosting company owned by BSkyB. In each case we worked with them to scope and set the critical path for their compliance project, provide the necessary training for their in-house project team and then act as on-call coach throughout their risk assessment, risk treatment and pre-audit phases.
From working with various firms we have identified the several factors that determine how quickly they will succeed in achieving ISO27001 compliance. To any organisation about to embark on this process we make the following strong recommendations:
1. Get senior management buy-in from the outset – if you don’t, you won’t get the money, time and resources you need and will find it harder to get other colleagues to play their part.
2. Establish a project board, including a senior sponsor and a well qualified project manager, and a motivated project team to run the process day-to-day.
3. Choose and use a good project management methodology – the compliance process reaches right through the organisation and has many interlocking parts; if you don’t keep a tight grip it can quickly slip out of your control.
4. Communicate and train at every level – not only does your project team need to be given the skills and knowledge for their task, but all your other colleagues need to understand what is being delivered and why. If not, your work may quickly unravel.
5. Lastly, recognize that there is no end point to the project – becoming certificated is just the start; you have to make the information security management system an ongoing part of your business and broadcast this message consistently from the start.