Key Lessons Learned from my ISO27001 Recertification Experience

Information security is an increasingly important concern in today’s digital landscape. That’s why ISO27001 has become an increasingly popular standard for organizations looking to secure their information assets. ISO27001 provides a comprehensive framework for information security management systems (ISMS), covering everything from people, processes, and technology to risk management and continual improvement of their information security. By implementing ISO27001, organizations can demonstrate their commitment to information security and gain a competitive advantage in the marketplace especially in today’s digital world of Life Sciences.

In this blog, Mabel Koolen will be sharing her personal experience with ISO27001 in a small company and offering insights and encouragement for those who may be considering a similar journey.

Last year, a small company approached me to help with their end-of-year recertification. This company had many similarities to my previous employer and placed great importance on providing high-quality products and services with strong security measures, driven by both customer demands and industry standards. This project aligned well with my previous work experience and my employer’s focus and provided a refreshing challenge.

Due to a change in key personnel, the understanding and approach to ISO27001 shifted towards a more “compliance-focused” perspective, with new employees not receiving adequate introduction and training on the intricacies of ISO27001.

“Due to a change in key personnel, the understanding and approach to ISO27001 shifted towards a more “compliance-focused” perspective.”

This shift has led to a lack of appreciation for the benefits and importance of the standard, and instead views it as simply a set of rules to follow, rather than a framework for continuously improving the management of information security.

This narrow-minded compliance-only focus not only hindered the overall effectiveness and maturity of the organization’s information security management system, but also caused reluctance among employees to follow procedures since they did not fully understand the reasoning behind them.

Redefining ISO27001 within the company

Following a change in management it became apparent to the customer that there was a need for increased focus on quality and compliance within the organization, and as a result, ISO27001. To aid in this, I was tasked with working with all departments to help achieve this goal and lead the ISO27001 recertification audit at the end of the year to ensure its success. The company was already ISO27001 certified, so much of the groundwork had already been laid by previous efforts, providing a strong foundation to build upon.

This led to the creation of a tailored action plan that aimed to comprehensively improve understanding and adherence to policies and procedures. The plan involved redefining the scope and conducting a risk assessment, with the primary goals of increasing awareness and support throughout the company and achieving a higher standard of quality and security. Additionally, it was important to successfully pass the ISO27001 recertification audit.

“The plan involved redefining the scope and conducting a risk assessment, with the primary goals of increasing awareness and support throughout the company and achieving a higher standard of quality and security.”

The initial step was to thoroughly review and redefine the scope. This involved conducting a comprehensive risk assessment that evaluated all aspects of the business operations and their impact on information security. During this process, we identified any potential risks to the company’s information assets and worked to implement additional measures to mitigate them.

We also ensured that the risk assessment was aligned with our business objectives and the current information security threat landscape. This allowed the customer to prioritize the measures that would have the greatest impact in protecting all (information) assets.

After redefining the scope, we reviewed and updated all policies and procedures to align with the new risk assessment results and to ensure that they were in line with the ISO27001 standard. This helped to improve the overall level of security and compliance within the organization.

Overall, the thorough review and redefinition of the ISO27001 scope, along with the comprehensive risk assessment, helped the customer to ensure the effective implementation and ongoing maintenance of their information security management system.

Facing Challenges

One of the biggest challenges I faced during the whole process was the lack of understanding of the importance of quality among the employees who were mainly technically oriented. Some of them felt that their focus on technical aspects of their work took priority over quality and compliance. Additionally, they expressed concerns about not having enough time to complete the administrative tasks required by the standard. At the core of this was a lack of proper guidance and awareness.

To address these challenges, I worked closely with the management team to help communicate the importance of the standard and to educate employees on the benefits of adopting a more secure and compliant approach. In addition, to raise awareness and understanding, regular sessions were organized with the entire company to review updated procedures, address any concerns and review progress.

Additionally, employees were trained on the new policies and procedures, with a greater emphasis placed on their crucial role in ensuring the implementation’s success.

“At the core of this was a lack of proper guidance and awareness.”

To address the time constraints, The management team provided support and guidance to the employees to help them determine which tasks were the most important and needed to be prioritized. This was done to ensure efficient use of time and to ensure that critical tasks were completed first.

We also streamlined the processes to make them more efficient and automated as much of the administration as possible to minimize the workload on the employees.

Through these efforts, we were able to successfully increase the focus on ISO27001 in the organization, which helped the customer to improve the overall level of security and compliance and reduce the risk of data breaches and information loss.

The moment of truth: The ISO27001 recertification

I was feeling nervous as it was my first time leading an audit independently, and even more so because it was for another company. I couldn’t help but worry about being formally evaluated on all the effort that had gone into the work over the past year. However, a colleague reminded me that the purpose of the audit is not to catch anyone out, but rather to verify the compliance of the ISMS with the ISO27001 standard and identify areas for improvement.

With this new perspective, I approached the recertification process with newfound confidence and enthusiasm. And, after successfully passing the audit, I would like to share with others some of the key takeaways that helped me along the way.

Key takeaways

Preparation is key
Redefining the ISO27001 ensured that everyone involved had a greater understanding of the scope and the processes. In the run-up to the recertification additional awareness sessions were scheduled to give room for people to ask questions and to understand the stakes and the impact.

Effective communication is critical
It was ensured that all relevant personnel were present to answer questions and supply information as required. They were instructed to be open, but not to give more information than needed. They were to provide all requested data and documentation, but only respond to the specific questions asked. Advising all participants of this beforehand helped set expectations.

Stay organized
By having a well-organized and easily accessible collection of records and documentation, we were able to provide the information smoothly and confidently. This not only made it easier for the auditor to assess the ISMS, but also showed our dedication to information security.

Take notes
By writing down the auditor’s unofficial comments and observations we created a list of attention points that can provide useful advice and may help identify areas where improvements can be made. These points can then be used for further improvement of the ISMS.

Be open to feedback
By listening to the auditor’s recommendations and being willing to make changes to your ISMS, you show that you take proactive measures to secure sensitive information and are dedicated to constantly enhancing your systems and procedures. This approach can positively impact the auditor’s evaluation and lead to a more flexible and understanding assessment, rather than a strictly rule-bound one.

Challenging at first, worthwhile in the end

To sum up, the ISO27001 recertification process may be challenging, but it also offers an opportunity for growth and improvement. Despite the difficulties and being my first time in the role, I thoroughly enjoyed the process, received gratitude from the customer, and gained valuable insights.

In short, being well-prepared, having effective communication, keeping things organized, documenting everything, and being open to feedback can help ensure a successful audit and demonstrate your commitment to information security.

It is important to keep in mind that the auditor is not there to judge you, but rather to identify potential areas for improvement in the ISMS and enhance its overall effectiveness and security. The primary objective of the audit is to ensure the ISMS is effective and secure, so it is crucial to stay focused on that goal and maintain a positive outlook. With a proactive attitude and a willingness to learn, the recertification process can be a rewarding experience for both you and your organization. So, embrace the challenge and take the necessary steps to secure your ISMS.

Are you in need of support for ISO27001? Don’t hesitate to contact us to learn more about how we can put the mentioned takeaways into practice to succeed in your journey towards ISO27001.