Embarking on the ISO accreditation journey is daunting yet achievable with the right approach and mindset. As COO of Talanos Cybersecurity, I recently spearheaded our organisation's pursuit of ISO 27001 (Information Security Management System) and ISO 9001 (Quality Management System) accreditation - supported by Jan, our Head of Security Operations and Renier, our Head of Service Management. Allow me to share insights gleaned from this transformative experience.
TL;DR
- You will need to map your terminology to the ISO terminology. Learn and use the ISO terminology during the audit (and consider adopting it permanently).
- Be prepared to be audited on your entire Q&ISMS rather than just a sample.
- Don't rely on the auditor to guide you.
- You should bring in external help and guidance to navigate the process.
- Don't lose sight of the objective while working through the fine-grained details and stop people if you're getting lost in the weeds.
- If relevant, do both your ISO 27001 and ISO 9001 together. There are synergies you can leverage.
- The work is never done, and post audit requires continuous maintenance, refinement and improvement - automate as much as you can.
Understanding the Landscape
I spent the first few days reading a small library of information. There were scores of documents: A mass of spreadsheets, standards, suggestions and instructions shared by the auditor all intertwined and occasionally contradictory. Mistakenly, we dove into tasks without grasping their context, leading to initial confusion and frustration. Lesson learned: understand the big picture before delving into specifics.- Turns out we were already doing many of things that ISO required of us but the terminology was different and mapping it was time consuming.
The First Audit
When you embark on the ISO journey you schedule two audits. The final audit when you hope to be awarded accreditation and the practice audit, the idea being the Auditor marks progress so far, which helps guide you. You won’t be at all surprised to learn the first audit didn’t go well, but there were some things we did learn.- The auditor isn’t just assessing a subset of tasks. They are interrogating your Information Security and Quality Management system in its entirety: how well you understand it and how you are beginning to implement the standards into everything the business does.
- You need to learn the lingo. Understand the terminology the auditor is using and point them towards your relevant register, procedure form or control - all ISO speak - with confidence.
- The auditor isn’t a consultant, they aren't there to provide advice, although our specific auditor was as helpful as he could be within tight constraints.
The Importance of Guidance
Recognising the need for guidance, we enlisted the expertise of a seasoned consultant Dave Burton from QBH Solutions. Dave provided invaluable insights, demystifying ISO jargon and offering a structured approach to implementation. He had a model, effectively the bones of the system, we could use to help us and he was there to answer our many frequent and sometimes silly questions.- I would highly recommend you team up with a consultant rather than try and go it alone.
Eating the Elephant
Like eating an elephant, tackling ISO accreditation requires a systematic, incremental approach. I printed copies of the standards, read them from cover to cover and made lots and lots of notes. My standards are rainbows of highlighted text. We meticulously dissected the standards, identifying overlaps and tailoring procedures to align with our business objectives. Mapping risks, controls, and processes formed the bedrock of our Quality and Information Security Management System (Q&ISMS).- This was one of my biggest takeaways from the work. You must just take a step back and find a way to tackle the small tasks without losing sight of the bigger picture when you take on any large project like this.
Integration for Synergy
ISO 27001 and ISO 9001 synergise seamlessly, offering a comprehensive framework for managing information security and quality. Combining these standards enabled us to fortify resilience, enhance operational efficiency, and elevate customer satisfaction—key tenets of our organisational ethos.- There are a lot of crossovers between ISO 27001 and ISO 9001 so I would really recommend working through both accreditations simultaneously.
The Audit Crucible
Our journey culminated in the nerve-wracking audit phase—a rigorous assessment of our Q&ISMS's efficacy. We were understandably a little nervous to welcome the auditor back. I’d spent a restless night; you can guess what I dreamed about. Armed with a comprehensive understanding and robust evidence, we confidently navigated scrutiny. The audit underscored the importance of continuous improvement and laid the groundwork for future endeavors, including our future CREST SOC certification.
Looking Ahead
While achieving accreditation marks a significant milestone, our ISO journey is far from over. As we continue to evolve, our commitment to safeguarding organisations against cyber threats remains unwavering.
- Maintenance, refinement, and automation are imperative for sustaining our compliance and preparing our business to scale up.
In Conclusion
Implementing ISO standards is not merely a checkbox exercise; it's a journey of growth, resilience, and continual improvement. By embracing the challenges and leveraging expertise, you'll make short work of that elephant.
Image credit: DALL-E2 "An executive pondering how to eat an elephant"