Many things get easier with repetition, but one thing never does: audit day.
Last Tuesday was audit day, and as CEO and Information Security Officer, it’s the most anxious day of my year. But implementing ISO 27001 has been one of the best decisions we’ve made as a company.
If you’re thinking about how to secure your organisation’s data, ISO 27001 (the Information Security ISO) is an ideal place to start. There are several core elements. An extensive set of clauses that cover everything to consider in the context of an organisation. A requirement for leadership, resources, risk assessments, internal audits, reporting, training, and ongoing efforts to improve. And the rigour of an annual external audit.
Audit day arrived and the ‘virtual’ format softened the blow. But when two auditors, not just one, popped up smartly on Teams at 9 a.m. it was clear that no stone would be unturned. Following the call they set about analysing our management system; digging for evidence, testing our policies and procedures, questioning our employees’ understanding, and noticing anything we may have overlooked.
Auditors identify areas for improvement or areas of non-compliance. Non-compliance means you’ve missed something the ISO standard considers essential. A major non-compliance is a serious failing that could affect certification and potentially lead to the loss of our valued certificate. That’s the ultimate worry of a security officer, especially when customer contracts depend on it.
Why ISO 27001 is Important to Legalesign
As an eSignature provider, trust is incredibly important to us. Our customers trust us to sign confidential, valuable, and business-critical documents. Without trust, the whole relationship falls apart. We demonstrate that trust in the way we work and deal with our customers.
One of the ways we can demonstrate commitment to data security is by conforming to the robust set of guidelines and policies that make up the ISO27001. It’s one thing to say “We have good security” but another to independently prove it with an audited ISO certification.
An Opportunity for Continuous Improvement
A key tenet of the ISO standard is continual improvement, which is also why implementing it early is so useful. If you’re running a start-up, you might question the necessity of ISO 27001. The earlier you start, however, the easier it is to begin, and the more you'll get from it. The ISO provides a frame for thinking about data security, even if you’re already confident about your operations.
As worrying as audit day might be, it’s also one of the best ways to get professional advice on your information security overall. Auditors are human and want to help your company succeed. They have unrivaled experience in information security and other related areas such as data protection, across various sectors and businesses of all kinds; advice that’s invaluable to a growing company. Sometimes they offer new thoughts on products and services that we could offer–a welcome bonus.
I learned the ISO 27001 framework when Legalesign was a company of two people. It was a long-haul. But we are now six years into our ISO 27001 certification and it’s hard to imagine a good information security system without it. As a programmer myself, I had a good awareness of security in software, but the ISO covers the whole organisation not just software.
Data protection has changed so much in the last six years, not only in the opportunities it offers but also its threats, and the regulatory bite for getting it wrong. For any company with data at its core, ISO 27001 now seems to me as essential as a driving licence on a motorway. Start-ups may wonder whether they really need it as they plan great new features and exciting tech. If that’s you, then perhaps the ISO 27001 is more for you than anyone. Theodore Roosevelt once advised,
Keep your eyes on the stars but your feet on the ground
I can attest, the ISO 27001 will keep your feet firmly affixed.
The difficulty of ISO 27001 reflects the nature and size of your organisation. If information security is critical to you then you will want to do more to secure it. You will have more risks to consider and more actions, mitigations, policies, and procedures to manage those risks. If you are large organisation, then you may have hundreds or thousands of policies and procedures to maintain and bigger jobs undertaking tasks involving many employees, such as ensuring everyone has good cyber security awareness.
Is ISO 27001 Certification Worth it?
The question of whether ISO 27001 certification is worth it ultimately depends on the specific circumstances and priorities of a business. ISO 27001 undoubtedly offers a multitude of benefits, including improved data security, enhanced customer trust, regulatory compliance, and a competitive edge in the market. For businesses dealing with sensitive information, such as personal data or financial records, achieving ISO 27001 certification can be a critical step towards safeguarding their assets and reputation.
It not only helps protect against data breaches and cyber threats but also shows a commitment to maintaining high standards of security and compliance and keeping your documents safe and secure. In today's increasingly digital and interconnected world, prioritising information security is often a wise and necessary investment. For Legalesign, the rewards make up for the stress of audit day.
What does it mean to be ISO 27001 Certified?
ISO Certification means your organisation has an externally audited management system that meets a set of standards for information security.
What are the benefits of ISO 27001?
The main benefit of ISO 27001 is that you, as an organisation, get an externally verified system that helps you implement and improve your information security, and then prove that to your stakeholders, and especially your customers, too.
How difficult is ISO 27001 certification?
There’s nothing inherently difficult about ISO 27001 beyond what you need to maintain good information security. If you are already practising good information security, the ISO will help you frame and improve it over time. If you don’t then it will tell you how.
How Do I Start the Process?
Take a good look at your current Information Security Management System (ISMS) and how it compares with the standard set out in ISO 27001 and what you need to do to reach these standards. There are several third-party companies who offer help and guidance on this. Once you feel you meet the standards, you can register for certification with an accredited certification body that will begin the audit process.
Legalesign is ISO27001 certified eSignature software that specialises in providing contract workflows, including witnessing and approvals, for organisations.