Our clients pay us to give them good security advice. And there is nothing like taking your own advice and seeing how well that goes. So, a couple of years ago we decided to eat our own dog-food and go for ISO 27001 certification. This is an internationally recognised way to demonstrate that you have good security. We’ve recommended it to a number of our customers, and we’ve helped several gain it.
We had several things we wanted to achieve with this:
- We wanted to walk the walk. If it is good for customers, surely it is good for us too?
- We wanted to prove that it could be done by a small organisation. ISO 27001 has a reputation that it is only for large corporates. Can a team of less than 20 gain certification and keep it?
- We wanted a way to prove to our customers that we have good security. After all, we do handle some pretty interesting information about their security.
We gained our certification in 2021 and at the end of 2022, we had our first surveillance audit. As Axenic’s acting CISO, I was responsible – along with Lee our ITSM – for making sure we passed. We duly did just before Christmas. It was a quick and relatively painless audit: we passed with only one minor finding (an incorrect document reference). It was my first time being subjected to an external audit, so it was definitely a “learning moment” for me as they say. So here are a few lessons that I (and sometimes we) learned from that experience. If you are looking to gain ISO 27001 or to survive an annual external audit, you might find some of these lessons useful.
Don’t leave creating evidence until the audit
We created evidence throughout the year with an eye on our audits. As we did stuff during the year, we didn’t just do it: we thought about how we would create evidence to show that we had done it. This meant that when our auditor Igor turned up, he didn’t have to take our word for it, but we could show him things that proved we had done this stuff.
For example, we didn’t have any incidents throughout the year so I took the opportunity to use a couple of security events to run through the incident management process: treating them as incidents. I did this for two reasons: to give the process a tryout (and we discovered a couple of minor problems in doing so) and to generate evidence for the audit that we followed our process.
If we had to create evidence just before the audit, it would be a huge effort and a total pain.
Use the internal audit
For ISO 27001 you are supposed to run an internal audit annually. The opportunities here are that you can use your internal audit as practice for your external audit and you can use it to generate evidence for your external audit.
We did take our internal audit seriously – if anything it was tougher than our external audit. But we would have had an easier time with our external audit if we had used our internal audit as a dry run. Instead, we missed a trick and ran it slightly differently. Not a big deal, but when we came to do the external audit we had several people who hadn’t experienced the exact same process. If we had run the internal audit exactly like the external one, I for one would have been less nervous.
The thing that we did do well was that we created a lot of evidence for our external audit from the internal audit. For example, we had a range of findings and actions that we used as evidence of continuous improvement, document review processes, etc.
Preparation, preparation, preparation
The most important lesson I learnt is that good preparation makes it all easy. We were well prepared and the whole thing went very smoothly. My colleagues were experienced with ISO 27001 audits, so they handed Lee and I a good process which we used. Here’s the specific things we did that I think really helped.
We assigned each clause and control to a specific individual. They collected the evidence and were interviewed for the audit.
We discussed and agreed beforehand on what evidence we would use for the audit. This meant that no one was in any doubt as to what would satisfy the auditor. Everyone knew what to look for. We used the experience and knowledge of ISO2 27001 from a few key individuals to inform the whole team.
We had either myself or Lee in every audit session so we could provide consistency and address anything anyone missed – or back them up if they got nervous or flustered.
All of this preparation work meant that a two-day audit was done in less than a day. It also made it very easy for the auditor to tell us that we were compliant.
It’s a big deal getting ISO 27001 certification (or recertification), especially for a small company. And it isn’t easy for the team who have to do all the work on the day. So make sure you recognise the success. It was stressful for me, and so I felt really pleased when the team recognised and celebrated our achievement.
If you want to learn about why we got ISO 27001 certification, or you are interested in some help in getting your own – just give Terry a yell, or contact us here.