Friday achieves ISO27001:2013 certification
Over the course of this summer, we undertook the formal development of our Information Security Management System (ISMS) and subsequent whole business alignment behind it in order to validate our processes and achieve certification to the ISO standard.
We did this because it's important for us and our clients to know that our information security controls, processes and behaviours are properly structured, monitored and enforced.
As expected it was a non-trivial exercise, independently audited - twice. Well understood processes and behaviours were evaluated and evolved to meet the standard. A team of intrepid ISMS owners drawn from across Friday ensured that we got in shape - and now, following certification, keep things honest and continually improving by meeting weekly to manage the ISMS via a Security Forum.
A light Googling also shows a lot of people asking themselves whether certification is worth it, and what does it actually entail. Our answer is:
- It's absolutely worth it. It provides a clear view of information security management across your entire organisation - spotting gaps, finding improvements, developing better ways of doing things - that all help create a stronger information security posture.
- It is a lot of work. Business processes evolve over time, and tacit knowledge (stuff in people's heads) plugs gaps in frameworks or procedures. All of this needs to be analysed, changed as needed and made to conform with your ISMS. We won't pretend there isn't a lot of documentation to create and manage - there is, but it makes sense and helps underpin the "is it worth it?" point above.
We plan to publish our entire ISMS (anonymised!) and documentation set over the course of Q1 2019 along with a step by step account of what we did and why, to hopefully help others looking at this standard and how to go about achieving certification.