The fourth stage of emotional response to change is depression. In this article, we will tell you about our experience of going through the most protracted and unpleasant stage - about changing the company's business processes in order to achieve their compliance with the ISO 27001 standard.
Expectation
The first question that we asked ourselves after selecting the certifying body and consultant is how much time will we really need to make all the necessary changes?
The initial work plan was scheduled in such a way that we had to meet within 3 months.
Everything looked simple: it was necessary to write a couple of dozen policies and slightly change our internal processes; then teach changes to colleagues and wait another 3 months (so that βrecordsβ appear, that is, evidence of the functioning of policies). It seemed that that was all - and the certificate was in our pocket.
In addition, we were not going to write policies from scratch - after all, we had a consultant who was supposed to - as we thought - throw us all the βcorrectβ templates.
As a result of these conclusions, we have budgeted 3 days for the preparation of each policy.
The technical changes also did not look intimidating: it was necessary to set up the collection and storage of events, check whether the backups correspond to the policy that we wrote, retrofit, where necessary, cabinets with access control systems and a little more little things.
The team preparing everything needed for certification consisted of two people. We planned that they would be engaged in the implementation in parallel with their main duties, and for each it would take a maximum of 1,5-2 hours a day.
In summary, we can say that our view of the forthcoming scope of work was quite optimistic.
Reality
The reality, of course, was different: the policy templates provided by the consultant turned out to be largely inapplicable to our company; there was almost no clear information on the Internet about what and how to do. As you can imagine, the plan to βwrite one policy in 3 daysβ failed miserably. So we stopped meeting deadlines almost from the very beginning of the project, and the degree of mood began to slowly fall.
The expertise of the team was catastrophically small - so much so that it was not even enough to ask the right questions to the consultant (who, by the way, did not show much initiative). The case began to move even more slowly, because 3 months after the start of implementation (that is, at the moment when everything should have been ready), one of the two key participants left the team. He was replaced by a new head of the IT service, who had to complete the implementation process in a short time and provide the information security management system with all the most necessary from a technical point of view. The task looked difficult... Those in charge began to get depressed.
In addition, the technical side of the issue also turned out to be with βnuancesβ. We faced the challenge of a global software upgrade both on workstations and server hardware. While setting up the system for collecting events (logs), it turned out that we do not have enough hardware resources for the normal functioning of the system. And the backup software also needed to be upgraded.
Spoiler: As a result, the ISMS was heroically implemented in 6 months. And no one even died!
What has changed the most?
Of course, in the process of implementing the standard, a large number of small changes took place in the company's processes. Here are the most significant changes for you:
- Formalization of the risk assessment process
Previously, the company did not have any formalized risk assessment procedure - this was done only in passing as part of the overall strategic planning. One of the most important tasks solved within the framework of certification was the introduction of the Company's Risk Assessment Policy, which describes all stages of this process and the persons responsible for each stage.
- Removable media control
One of the significant risks for the business was the use of unencrypted USB flash drives: in fact, any employee could write any information available to him on a USB flash drive and, at best, lose it. As part of the certification, the ability to download any information to flash drives was disabled on all employees' workstations - recording information became possible only through an application to the IT department.
- Super User Control
One of the main problems was the fact that all employees of the IT department had absolute rights in all company systems - they had access to all information. At the same time, no one really controlled them.
We have implemented the Data Loss Prevention (DLP) system, a program for monitoring the actions of employees, which analyzes, blocks and alerts about dangerous and unproductive activities. Now notifications about the actions of IT department employees are sent to the mail of the Operations Director of the company.
- Approach to the organization of information infrastructure
Certification required global changes and approaches. Yes, we had to upgrade a number of server hardware due to the increased load. In particular, we have allocated a separate server for event collection systems. The server was equipped with large and fast SSD drives. We abandoned backup software and opted for storage systems that have all the necessary functionality out of the box. We took several big steps towards the concept of "infrastructure as code", which allowed us to save a lot of disk space by eliminating the backup of a number of servers. In the shortest possible time (1 week), all software on workstations was upgraded to Win10. One of the issues that the upgrade solved was the ability to enable encryption (in the Pro version).
- Control of paper documents
The company had significant risks associated with the use of paper documents: they could be lost, left in the wrong place or improperly destroyed. To minimize this risk, we have marked all paper documents according to the degree of confidentiality and have developed a procedure for the destruction of different types of documents. Now, when an employee opens a folder or takes a document, he knows exactly what category this information falls into and how it should be handled.
- Backup data center rental
Previously, all company information was stored on servers located in a third-party secure data center. However, there were no procedures for accidents in this data center. The solution was to rent a backup cloud data center and back up the most important information there. Now the company's information is stored in two geographically remote data centers, which minimizes the risk of its loss.
- Business continuity testing
Our company has had a Business Continuity Policy (BCP) for several years, which describes the procedure for employees to follow in various negative scenarios (loss of access to the office, epidemic, power outage, and so on). However, we have never done continuity testing - that is, we have never measured how long it will take to restore the business in each of these situations. In preparation for the certification audit, we not only did this, but also developed a business continuity testing plan for the coming year. It is worth noting that a year later, when we faced the need for a complete transition to a remote mode of operation, we coped with this task in three days.
It is important to notethat all companies preparing for certification have different starting conditions - therefore, in your case, completely different changes may be required.
Employee reaction to change
Oddly enough - here we expected the worst - it turned out not so bad. It cannot be said that colleagues received the news of certification with great enthusiasm, but the following was clear:
- All key employees understood the importance and inevitability of this event;
- All other employees were equal to key employees.
Of course, the specifics of our industry, the outsourcing of accounting functions, helped us a lot. The vast majority of our employees do an excellent job with the constant changes in the legislation of the Russian Federation. Accordingly, the introduction of a couple of dozen new rules that now need to be observed did not become something out of the ordinary for them.
We have prepared a new mandatory ISO 27001 training and testing for all our employees. Everyone obediently removed the stickers with passwords from their monitors and dismantled the tables littered with documents. No loud dissatisfaction was noticed - in general, we were very lucky with the employees.
Thus, we have passed the most painful stage - "depression" - associated with changes in our business processes. It was hard and difficult, but the result in the end exceeded all the wildest expectations.
Read the previous articles in the series:
5 stages of inevitability of acceptance of ISO/IEC 27001 certification. Depression.
5 stages of inevitability of acceptance of ISO/IEC 27001 certification. Adoption.
Source: habr.com