If you have been following our ISO 27001 blog series you will know that Axenic is now officially ISO 27001 certified! The team is extremely excited about this accomplishment, however, the journey to becoming certified has not been easy. We are going to continue talking you through our journey to certification and Part 3 discusses our lockdown experiences and how we used this to our advantage.
As we were gearing up to start designing our Information Security Policy and define our high-level security requirements, NZ went into lockdown. With a little shuffling, it turns out that lockdown meant we had some extra time on our hands and we tried to get as much done as we could during the lockdown. A great case of turning a negative into a positive!
ISO 27001 Policies and processes
During the lockdown period we focussed on creating the big-ticket policies and processes, this means we:
- Generated our Information Security Policy
- Formally documented our change management process
- Built our incident management process
- Formally documented our ISMS roles and responsibilities
- Put our Risk Management Methodology and Process to paper
- Built a Risk Register
- Created a continual improvement process
- Built our non-conformity management process
- Defined our communications plan
We managed to get the heavyweight documents all written up. At this stage in the process, we had not published any of our policies for consumption by the company; so we were sitting on a lot of information.
We had another difficult detour; during lockdown our CISO decided to move on to a different role, leaving our ISMS one leader short. It is not the Axenic way to let isolation and some structural changes derail a project, so we turned to our well-defined ISSG members. In the interim, our Sponsor Jim took up the role of Interim CISO and we distributed the CISO tasks between the Sponsor and the ISM Martin.
This was another case of turning a negative to a positive as it helped us define our ISSG authority by delegating powers from the board to make decisions with a quorum of two third of the team. Having one less ISSG member did not end up slowing down our decision-making process. Not surprisingly, it turns out that a well-thought-out ISMS organisation structure worked in our favour.
Another Bump in the road
With everyone trickling back to work after lockdown and business picking back up, we were concerned that our ISMS implementation interest will tapper off as other billable work becomes a priority. A half documented ISMS does not count for much! However, we were lucky that our leadership team created the ISMS as an internally funded project that was handled the same way as we handle client projects; this time we were our own client. This meant that the ISM was a project allocated resource as any other customer project resource, which kept the flame alive as the ISMS fires on all four cylinders. All it took was pushing through and having our regular weekly project meetings, and monthly ISSG sessions to add some driving force to the project and maintain focus.
By the time we had our first in-person ISSG meeting after the lockdown, we had all the documents approved as version 1 editions. This meant we could start planning the implementation of what we had ready while finishing the last documents and preparing for Wave Two of implementation later in the year.
Here is what our ISMS had after 5 months starting from nothing:
- Leadership commitment
- Authoritative direction through our ISSG
- Well-defined roles and responsibilities
- Risk Management Methodology to inform our decisions
- More than half of our security requirements documented and approved
We now have to implement what we have documented to have a functional ISMS. We will see you in the next blog where we will discuss the stretch to get the rest of the ISMS finished on paper and seeing it running for the first time.
And of course, if you are interested in finding out how you can start your own journey towards ISO 27001 certification contact our team today!