Implementing ISO 27001:2022 - from sea to summit.

Implementing a complex standard such as ISO 27001 - an information security standard created by the International Organization for Standardization (ISO) also known as ISO/IEC 27001:2022 - may seem like a Herculean task to you…

Well, let me tell you something… It is! Even though at kreuzwerker we love problems! And more than anything, we love to solve them, making our own mistakes and learning from them along the way.

Being all for structures and organization, from Marie Kondō at home up to standardization and compliance at work, I am drawn to finding ways to make tasks more methodical. I embraced the Lead Implementer role quite naturally, knowing that a whole crew of excellent professionals had my back and was willing to make this a successful venture.

We set out on our journey in 2020. Consequently, we did it “on our own” and arrived at the usual conclusion: we need to educate ourselves. We learned about all things ISO, often feeling adrift in the vast ocean of the world wide web. However, those who search, find: online training, trustworthy information sources, (some) free documentation templates, tips and tricks, etc. I’m not gonna lie to you… This sh*t is dry! Hours of training material, reading through documentation, gathering information about the standard requirements, controls, applicable laws and regulations and most importantly, understanding what all these meant for us was in no way an easy (or fun) task.

Maps, compasses and guides

In order to arrive at our destination we needed some sort of navigation equipment. Acquiring a ready-to-run Information Security Management System (ISMS) was a wise decision. This was our map and compass, taking us through the implementation step-by-step, and providing us with sample documents and useful tips along the way. The whole ISO/IEC 27000 family of standards (especially 27001, 27002 and 27005) is a useful guide to implement an ISMS itself; it just wasn’t enough for us. Not having worked with standards before, it can be quite complex until you get to know and understand the structure. Additionally, since this is a sector-agnostic standard that should be applicable to any organization of any size in any branch, it can be vague at times.

Even though we had our maps and compass, we still got lost and felt unmotivated at times. Organizational change process, market and technological changes and dealing with an updated standard (ISO 27001:2013 succeeded by ISO 27001:2022 with new controls and changes) didn’t make it easier. Not having the knowledge in-house was frustrating, but not hard to remediate: we hired consultants to guide us along the way 😉

Keep a travel journal

Being a Cloud Native Software Development, Consulting and Managed Services company, we are pretty much used to following industry best practices, implementing security measures and controls and having certain processes and policies in place to ensure those. We learned two big lessons from our consultants: first, continuous improvement is the key: document not only policies and processes, also keep meeting notes, document decisions, manage resources, processes and tasks, identify roles, document responsibilities, all these will help you in the audit as evidence of your continual efforts to improve the ISMS. Second, the job of the auditor is not to find non-conformities but to find sufficient evidence of compliance with the standard (you have to show it to them!) as well as opportunities for improvement.

Trust your crew

All of this of course is not a one person job. Compliance is a team sport. Experts from all our teams (internal and consulting) contributed not only by identifying information security risks and treatment plans, drafting and designing policies/processes and applying required controls, but also by helping me understand what they do in their day-to-day work and which information security requirements are relevant to each of them. This is a remarkable team play.

Life’s a journey not a destination

After months of working hard getting ready for the certification audit our adventure was coming to an end. All the above steps had prepared us for this moment. We were audited for five days in which the auditor mainly wanted to see how we live information security at kreuzwerker, looking for evidence of the implementation of our policies and processes, interviewing colleagues and assessing whether our ISMS is compliant with the norm.

Did we reach our final destination? Well, yes and no. Our Information Security Management System is finally ISO certified (YAY!). As a consequence we are now officially committed to its continual improvement. And we love to solve problems! So technically not an end, but a new beginning.