In case of making any strategically important decision for the company, employees go through a basic protective mechanism, well known as the 5 stages of response to change (author E. KΓΌbler-Ross). An eminent psychologist once described emotional responses by identifying 5 key stages of emotional response: negation, anger, bargain, depression and finally, adoption. We have prepared a series of articles on ISO 27001 certification, where we will consider each of the stages. Today we will talk about the first of them - denial.
Obtaining an ISO 27001 certificate βfor showβ is a very dubious pleasure, because it requires a long and expensive preparation. Moreover, as shown , this standard is extremely unpopular in the Russian Federation: to date, only 70 companies have been certified for compliance. At the same time, it is one of the most demanded standards abroad, meeting the growing needs of business in the field of information security.
Our company provides a full range of outsourcing services for accounting functions: accounting and tax accounting, payroll and personnel administration. We occupy one of the leading positions in the market, in particular due to the fact that foreign companies with subsidiaries in Russia entrust us with their confidential information. This applies not only to the financial processes of our clients, but also to the personal data that we work with on a daily basis. In this regard, the issue of information security is one of the priorities for us.
Often, all business processes of Russian divisions are controlled and declared by the head offices of foreign companies, and therefore they must comply with internal group-wide standards. Recently, some of our key clients have begun to review their security policies in the direction of tightening them. Of course, this is due to global trends in the growth in the number of cyber attacks and losses associated with information security incidents. If it is necessary to introduce protection tools, policies and procedures aimed at improving the information security of a company, you can do without ISO / IEC 27001 certification, saving thus a lot of money, time and nerves.
Today, in the tenders of foreign customers, requirements for the existing information security in the company began to appear. Some, in order to simplify their verification and unify the approach, make it a mandatory evaluation criterion - the presence of ISO / IEC 27001 certification.
We had this: one of the key international clients certified to this standard, apparently, seriously strengthened its global information security team. How did we know about it? They decided to audit our information security management system, because we provide them with accounting services and personnel administration - and, accordingly, the security of our information systems is critical to them. The previous audit took place 3 years ago - at that time everything went quite painlessly.
This time, we were attacked by a friendly team of Indians, who deftly dug up several dozen flaws in our security management system. The audit process was like the wheel of Samsara - it seemed that in principle they had no goal to come to some final point within the framework of the audit. It was an endless string of questions, comments, our comments and evidence of their reality, conference calls and lengthy philosophical conversations in an attempt to recognize the accent of the client's IT security team. By the way, the audit continues with varying degrees of intensity to this day - over time, we have already come to terms with this. Thus, the need for certification has matured on its own.
Can we get by with ISO 9001?
Everyone who is more or less savvy in the issue of certification according to any of the ISO standards understands that the basis for each of them is the ISO 9001 Quality Management System certificate. This is perhaps the most popular certificate of the entire line of ISO standards at present. We didn't have it - and we decided not to get it. There were several reasons for this:
- doubtful economic efficiency of the company having this certificate;
- for the most part, our internal processes were already close to this standard;
- obtaining this certificate would require additional time and money.
Accordingly, we decided to immediately implement ISO 27001, without starting with the βlighterβ 9001.
Or maybe you don't need to?
Looking ahead, we returned many times to the question of whether it is expedient to receive it. We began to study the issue from all sides, because we had absolutely no expertise. And here are the misconceptions that made us once again think about this issue.
Misconception #1.
We hoped that the standard would provide us with a detailed checklist, a list of policies and other statutory documents. In reality, it turned out that ISO / IEC 27001 is a set of requirements for the information security management system itself and the process being built. Based on them, it was necessary to independently decide what to write / implement in our company in order to comply with the requirements of the standard.
Misconception #2.
We sincerely believed that it would be enough for us to study one document and implement it in a relatively short time on our own. In reality, while reading the document, we realized how many related standards our standard βclings toβ, how many standards we need to familiarize ourselves with (at least superficially). The βcherryβ on the cake was the lack of up-to-date texts of the standards in the public domain - they had to be bought on the official ISO website.
Misconception #3.
We were confident that we would find everything you need to prepare for certification in open sources. Indeed, there were quite a lot of materials on ISO 27001 on the Internet, but there were quite a few specifics in them. There were practically no easy-to-understand step-by-step instructions for preparing for certification, as well as real cases of companies that implemented this standard.
Misconception #4.
We will write policies, but they will not work! Well, the truth is, in our company there are already too many rules, no one will comply with 3 dozen more new policies. In reality, fortunately, our employees reacted responsibly to the task of mastering the new rules and successfully passed the test for knowledge of information security management system documents.
Misconception #5.
At that time, we could not clearly assess what benefit we would get from our labor costs. At that time, the number of requests for this certificate was not so large, and we had a key and most demanding client long before certification. Experience showed that we coped without a standard.
At some point, we realized that we were randomly closing one or another emerging gap due to the requirements of the client. Each time we came up with some new policies or solutions. And we finally independently came to the conclusion that it will be much easier to systematize the process, which later even saves us a large amount of labor. The standard was intended to simplify this task.
Now, two years later, we see a trend towards an increase in the number of requests and interest in this issue from the largest international clients.
Final decision.
In conclusion, we want to say that the leaders of our industry received ISO / IEC 27001 certification, which made all other major providers (including us) think about this issue. Undoubtedly, a beautiful line in the company's marketing materials - on the website, in social networks, in advertising brochures, etc. - can be considered a nice bonus, but is it worth spending so many resources for it? We determined for ourselves that for us it is more than just a beautiful line, and we got involved in this project.
Source: habr.com