When we began our ISO 27001 journey and had our initial discussions about going for certification, the world was rosy, well, it was certainly rosier than the one we're living in right now. In this blogpost, I am going to tell you all about Eden’s journey towards gaining our certification and how the COVID-19 pandemic affected it, what barriers we had to overcome and ultimately why you shouldn’t let it stop you from going for certification.
Why go for ISO 27001 certification?
Of course, before you commit to something, you have to discuss the why. Going for ISO 27001 had been on our minds for quite some time. We noticed more and more that clients were giving us cyber security assessments to fill in, tender portals were listing ISO certification as a high scoring requirement and information security was becoming a hot topic – especially with big GDPR fines being proposed. It wasn’t just those reasons however, after researching more into ISO standards we became aware that it would also give added benefit to our organisation, our team and our clients, such as; improving communication across the business, increasing staff awareness of threats and being able to reassure our clients that their information is safe… with an official certification to prove it.
Hiring ISO 27001 consultants
We officially started our journey in December 2019 when we enlisted the help of ISO 27001 consultants and information security experts, IT Governance. The consultants from ITG were hired to help us build the framework of the ISMS and allow us to learn and really pick their brains for information and knowledge of ISO 27001.
We set off working with ITG, having weekly meetings where we were drip fed with key information and various documents so as not to fry our brains too quickly. ISO27K was something brand new to our team so going at this pace, where we could learn and implement as we trotted along was vital to our success.
Between these meetings, we looked at our processes to see how we could better refine them to conform to the standards set in ISO 27001. For example, we made some quick, minor changes to our already secure infrastructures and obtained a new “military-grade” firewall to better segregate our networks.
Risk assessments and the Statement of Applicability
The first document we looked to create was a ‘Risk Analysis and Risk Treatment’ document. This was a risk assessment for all Eden Agency assets that were identified in our asset register. With this risk assessment we found a number of risks that required treatment, usually through mitigation using ISO 27001’s Annex A of controls. For many of these risks, we were already practicing the mitigation that we outlined, we just needed to evidence this by writing new or updating existing policies and procedures.
Another key document to create was the ‘Statement of Applicability’ or SoA. This is a very important document as it lists all the Annex A controls that are applicable to Eden and our ISMS. All the controls that we were to implement were detailed in this document.
With these documents in place and with us now building up our ISMS, we were making great progress. We decided now was a time to get our external audits booked in with a certification body, as we knew opportunities to be audited would quickly get booked up through 2020. After careful consideration and review of several certification bodies, we opted to do business with NQA, a UKAS accredited certification body. Our stage 1 and stage 2 audits were now booked in for the late Spring of 2020 – a goal for us to work towards when building and implementing our ISMS (Information Security Management System).
Now while all this was happening and we were really gaining momentum, a deadly virus was beginning to sweep the earth. News of COVID-19 was becoming more and more prevalent. Businesses were being urged to work from home, with social contact being frowned-upon. Eventually, the U.K. Prime Minister, Boris Johnson, announced a national lockdown. Immediately, Eden Agency took to working from home full-time. That’s a bump in the road that we needed to overcome...
ISO 27001 implementation in a pandemic
Times had changed. The world was turned upside down; what was happening was unprecedented. I am writing this 12 months since we started working from home and 12 months since the U.K. imposed a national lockdown. We are still working from home and still in a national lockdown.
Luckily, we made cracking progress on our journey through our collaborative work with ITG. We had the main documentation in place, the next exercise now was implementing and releasing new or updated policies to the team at Eden.
Furthermore, at Eden we already had a working from home policy. Granted this was usually just once-a-week, but because of this, the change to working from home full-time wasn’t too disruptive for the team. Everyone had the capabilities to work from home efficiently and effectively, all work for our clients was still going to be completed to the same standard, in the same time frame.
Our ISMS implementation team was now split up. We were no longer sitting in the meeting room together working from the same screen; there were no more valuable face-to-face meetings with our consultant; no more keeping the team up to date by calling them into the meeting room for a quick update. Now we had to manoeuvre around everyone’s newfound responsibilities of looking after their family and other home commitments in the workday. Our consultant was great though; we continued with frequent weekly communications, had our meetings virtually using Microsoft Teams and continued to iron out our documentation. As this went on, we started to reduce the frequency of our meetings with the consultant and cracked on with our own ISMS implementation.
Before the national lockdown and fulltime homeworking, we had an internal audit booked in with ITG. This audit would allow us to assume our readiness for the booked stage 1 audit. These dates were beginning to creep up and the pandemic issue was not subsiding. In fact, the opposite - things were getting worse. With this in mind, the decision was made to postpone our internal audit with ITG and our external stage 1 and 2 audits with NQA for the foreseeable and we would look to rebook “when there’s light at the end of the tunnel”. This was because our preference was always to have our audits conducted onsite, so we could present all the great work we had done, in person.
An easy to navigate ISMS
We cracked on. We had our documents, the risk assessment, the Statement of Applicability, drafts of policies and procedures etc… but we had these as a suite of Microsoft Word and Excel documents that were in a shared workspace for our ISMS team. This worked fine when we were in the office working collaboratively but while working from home, we quickly realised that this was not at all going to be a good way forward. So we worked on a different approach for housing our ISMS.
We already used Atlassian’s Confluence for project documentation, so it seemed logical to place our ISMS documentation there too, within its own ISMS space. This meant the ISMS could be navigated by the whole team (on a need-to-know basis of course!). So, we began the task of migrating all our current documents over to Confluence, with a bit of tweaking here and there using the comprehensive formatting tools now at our disposal. There are many, many reasons why Confluence is ideal for hosting your ISMS:
- Management – Clauses are easily segregated, annexes are listed with parental pages giving descriptions, with child pages featuring the control documents.
- Access control – The permission settings that Atlassian offer are comprehensive, each page in Confluence can have its own access control, making sure documents conform to our classification policies.
- Search – You can use Confluence’s search tool to simply search for keywords within all ISMS documentation, making navigation easy for everyone involved.
- Versioning and change history – Confluence has its own inbuilt versioning and change control, which ensures all pages have an adequate audit trail of changes.
- and many more…
Fast-forward a couple of months to the late summer of 2020, we now have most of our documentation in place, refined our processes and though we have always followed best practice, now evidenced this for our auditors (whenever audit may be). At this point we’re still hoping for our audit to take place in the office, with full time home working to have ceased and be back to some sense of normality before they are booked…
In the meantime, as we hope for normal service to resume, we needed to build the teams information security awareness and their awareness of the ISMS; the documentation within it and their roles and responsibilities. We started to have weekly Zoom calls with the whole team, dedicated to the ISMS and ISO 27001. We created presentations, held Q&A sessions and distributed policies – we did these sessions over 2 to 3 months and bookended them with official training for the team, which was provided by ITG. By this point, we only had to complete our business continuity test and then dot some I’s and cross some T’s and we’d be well ready to have our internal audit, so we booked it in.
Business Continuity (BC) Testing
Just like most aspects of our ISO 27001 journey (that we are now 75% of the way through), we would have preferred to have been in the office for our business continuity testing; not because we are limited working from home but more because it’s a journey we should be sharing together as a team. Anyhow, we opted for a service-based disaster to test against and due to working from home, carried out communications via telephone and with our corporate messaging weapon of choice, Slack. We love Slack and have done so for the past 5 years. It has been an invaluable tool for working from home and for communicating aspects of the ISMS. The virtual BC test went smoothly and confirmed our readiness and gave us various opportunities for improvement that we could add to our improvement log.
Remote ISO 27001 audits
It is now December 2020, a full year since we embarked on our ISO27K journey and we are now in a position where we can have our internal audit, albeit remotely. We had never experienced an audit before so even though we had full belief in our ISMS, we were extremely nervous. The audit was carried out through Microsoft Teams, where we utilised the screen sharing facilities to showcase and demonstrate our ISMS. The audit took place over 1 day and went very well. Only one minor non-conformity was discovered, and this was quickly rectified the day after the audit. Several opportunities for improvement were also discovered and were also addressed within a couple of days of the audit ending.
So, from this audit, the main result was that we were ready to go ahead with our stage 1 audit with NQA, immediately following our internal audit we booked this in. We were still in the hope the pandemic situation would allow us to have our external audits conducted onsite, even with a skeleton staff. Stage 1 was booked in for February 2021 and stage 2 was booked in for March 2021, shortly after.
Stage 1 ISO 27001 audit
Unfortunately, the winter hadn’t been kind and the pandemic was picking back up, so we didn’t begrudge having to continue working from home and having our certification audits conducted remotely if it meant helping to save lives! The internal audit was good preparation for our one with NQA as it went pretty much in the same fashion. We used Microsoft Teams and its screen sharing facilities, while also allowing our auditor access to Confluence so he could see the working ISMS himself. It went swimmingly and only a couple minor areas of concern were found, which thankfully were easily fixed. The outcome of this audit was that we were ready to go ahead with our stage 2 audit, which would hopefully end up with us being recommended for certification!
Stage 2 ISO 27001 audit
We had just under a month to prepare for the finish line in our initial ISO27K journey. The AoC’s were sorted pretty swiftly so all we had to do was swot up on our own knowledge of the ISMS for any pending questions the auditor may have and give the team some refresher courses on the ISMS and information security as a whole, much like the weekly awareness meetings we had in the lead up to our internal audit.
The stage 2 audit crept up on us very quickly and even though we had experience of two audits before this one, we were again extremely anxious, we had been waiting on this for over a year. The audit lasted three days and was done in a similar manner as the previous two but featured more interviews with the team. With this audit, only one minor non-conformity was found. For us to gain certification, we had to provide NQA with an action plan for closing it, which we did the day after as it was a pretty simple change to affect. We were successful and our auditor recommended us for certification to NQA! Our auditor was very knowledgeable and gave us some great advice that we have taken on board and applied to our workings - we don’t feel like we missed out by not having our audit conducted onsite!
Eden Agency is now an ISO 27001 certified digital agency!
Over a year of hard work and dedication from the whole team led to us being crowned with an ISO27K certificate. It’s certainly a great feeling. However, it doesn’t end there. We have our ISMS now, which we will continue to work on and by continually improving it, doing everything we say we do within our documents, continuing to implement best practice and developing secure solutions for our clients, while complying with the standard. Hopefully, our team will be reunited in the office very soon and we can celebrate safely! The same goes for our surveillance audit next year, hopefully this can be carried out onsite too!