If you don’t know what ISO 27001 standard is, here’s an article that succinctly describes what it is, why we’re doing it and where we are. It’s an ongoing project, not yet a feedback report. If you’d like to discuss the subject with me, please don’t hesitate to get in touch!
First, what are the key points of ISO 27001 standard?
ISO 27001 is an international standard for information security management. It is designed to implement, maintain, monitor and improve an information security management system (ISMS) within an organization. The main objective of ISO 27001 is to guarantee the confidentiality, integrity and availability of sensitive and critical information. A few key points:
- It aims to help organizations establish a framework for identifying, assessing and managing information security risks: data loss, cybercrime, security breaches, service interruptions and other information-related threats.
- Implementing an ISMS involves identifying critical information assets, assessing risks, implementing appropriate security controls, training employees and continuously monitoring ISMS performance.
- Organizations must be audited by independent third parties to verify compliance with ISO 27001 standard.
Finally, this standard encourages continuous improvement in information security management. Organizations are encouraged to regularly monitor and review their ISMS to ensure that it remains effective in the face of changing threats.
Why implement this approach?
Admittedly, we started this process somewhat under duress. One of our major customers required it of its partners. On closer examination, we realized that it could be interesting for several reasons:
- Better protect sensitive information such as customer data, financial data or trade secrets.
- Reduce security threats and incidents such as data breaches, service interruptions and cyber-attacks.
- Comply with legal and regulatory information security requirements.
- Strengthen trust with our customers and business partners.
- Better manage business continuity, be prepared for service interruptions, disasters and emergencies.
We also hope this approach will enable us to :
- Improve operational efficiency by streamlining information security processes and operations.
- And potentially save money (security incidents can entail significant costs).
What we’ve done and what’s left to do!
The first thing we did was to set up a project team comprising employees from different departments with knowledge of our various processes: IS, HR, Management, Sales, Projects, Technical Management. This team, accompanied by an external auditor from France Certification, enabled us to carry out an initial assessment of the situation: identifying information assets (data, systems, equipment, documents and processes), the threats we might encounter, vulnerabilities and associated risks.
Next, we defined the objectives of our ISMS, identifying the processes, services, locations and information assets to be included within its scope. We also drew up: our IT charter, our secure development policy, our transfer policy and so on. We also set out the organization’s security commitments.
Finally, we have put in place the first elements of our ISMS:
- Managing information assets such as data, systems, equipment and documents. For example, we realized at this stage that our leases were not being managed very well (we still had leases on computers we no longer had!).
- Information security risk analysis: identifying and assessing the risks associated with information assets. This is undoubtedly the most time-consuming phase, as you have to go through all the risks and vulnerabilities associated with your organization.
- Based on the risks we had identified, we drew up and implemented a treatment plan and security controls using Annex A of the ISO 27001 standard. These include technical, organizational and physical controls.
- The risk treatment plan, which defines how risks are assessed, managed and monitored over time.
- The organizational structure, including roles and responsibilities for information security, has been clearly defined.
- Procedures for managing security incidents, with everything recorded, documented and stored.
In addition, several meetings were held with all employees to raise awareness of information security, and to understand the risks and security practices involved. To make the subject a bit fun, we even ran several quizzes and random tests to ensure that the message was well understood and sufficiently integrated.
Les prochaines étapes sont d’effectuer un audit interne pour évaluer la conformité aux exigences de la norme ISO 27001 et pour identifier les éventuels écarts et l’audit de certification qui sera mené par un organisme de certification accrédité.
To conclude
ISO 27001 standard certification takes time and commitment, but we believe it’s essential to strengthen information security and meet security requirements.
Next episode: external audit date September! We’ll keep you posted…
An article by Nicolas Peguin
