The Road to ISO Certification and What I Learned Along the Way

This year has been a massive one, for me personally and for Criteria. I’m proud to say that in 2021, we successfully achieved full ISO27001 information security management system (ISMS) compliance for our North American and APAC businesses – and we have the certificates to prove it!

As the year draws to a close, I’ve had time to reflect on how we got here and what I learned along the way. Who knows, it might help you on your own ISO journey.

Why We Decided to Get ISO27001:2013 Ceritified

In the last five years at least, customers have become more assertive in wanting assurance from their suppliers that their data is held and processed securely. Since the SolarWinds cybersecurity incident, we have observed a significant injection of cyber controls into our business by customers. This was not limited to technical controls but also contractual clauses, disclosure of sub-processors, and administrative procedures. We found that customer requests and needs were unique from one another, and it was becoming unsustainable for us to respond to individual requests – let alone agree to them. We simply could not comply with our customers individual growing security needs had we not taken a strategic approach that could scale with us as our company grew.

The ISO27001:2013 standard was selected as the ideal standard for us to comply and certify with. It is internationally recognized, tangible, and achievable. And most importantly, ISO/IEC 27001:2013 gives our customers the security assurance they wanted. ISO27001 represented a comprehensive information security management system that we could adopt, and that our customers could rely on.  By adopting the standard, we are able to say to our customers “You can trust us.”

Buy-In is Everything

There’s no hiding it – being “ISO-ready” takes a lot of work. Achieving compliance needs firm commitment from the highest levels of the organization. I was lucky in that our CEO and the rest of Criteria’s executive team understood the need for robust cybersecurity and the value it added to the business and to our customers. But for those of you who may not have wide support for your new security initiatives, here are my tips:

Numbers talk.

Quantifying the financial risk to the organization of poor information security management can present a very compelling case for C-Suite and Board members to take the obligation seriously. It also helps them prepare to invest in getting it right.

Get everyone on board.

Ensure all layers of the organization have accepted the path you’re going down. This includes board members, too. In some jurisdictions like the E.U., company directors can face stiff penalties (including jail time) for bad data management practices.

Be pragmatic.

It’s easy to use a “lock everything down” approach, but that can have a negative operational impact. It can also cause employees to see tight security as an inconvenience rather than a critical asset. Yes, the primary goal is security, avoid lots of friction for the business as you implement new standards. Pragmatism will win friends across the organization.

Cybersecurity is a collective responsibility.

Everyone in the company must embrace the changes, understand why they are happening, and see the positive outcomes. The human factor is the most critical element of a successful cybersecurity strategy.

Have a Plan of Attack

First, understand your targeted standard and its requirements. Then plan out how you will implement, and who needs to be involved and when. Here’s how I did it:

  • Create a high-level plan with stated outcomes.
  • Develop corporate-wide policies (Acceptable Use, Password rules, Least Privilege, etc.).
  • Develop departmental policies (SDLC, Data Retention, regular audits, etc.).
  • Create a communications plan. Who is the audience, when to communicate, and the message to be delivered.
    • A critical key to success is repetition. You are dealing with a dry subject, so people often tune it out quickly. Repeat the same message in different ways and take as many opportunities as possible to deliver it. For example, send out company-wide emails, start general conversations, have executive discussions, create security bulletins, hold company-wide meetings and team meetings, etc.
  • Schedule internal audits to ensure nothing has been missed. Have a consultant play the role of the ISO27001:2013 auditor.
  • Ensure the Statement of Applicability is complete. Remember the standard also requires you to justify what you are implementing, not just the exclusions.
  • Tackle the easier low friction policies first, like Password complexity.
  • Own the implementation and don’t offload to a consultant.

Work with a Reputable Partner

The market abounds with so-called cyber-experts offering services to organizations. These often come with a substantial investment. To be sure, working with an expert partner can give you a terrific advantage during your ISO certification process. But it’s critical that you choose your partner wisely. Here’s what I looked for:

  • Separate technical expertise from policy definition. You need the policies and risk assessments . Find a consultant that can help you define these within the requirements of the standard.
  • Armed with the policies and risk assessments, you can bring in technical expertise from in or outside your organization.
  • Make sure the consultant has been through the ISO27001 process many times over.
  • Lastly, remain in control. Never let the consultant define your polices. You need to own them, not the consultant.

Take the Team on the Journey with You

All the best intentions, processes, systems, and certifications can fall apart without support. Unless the whole organization supports the initiative, your organization will struggle to adopt compliance measures. Realistically, you’re not likely to turn your entire company into die-hard ISO fans overnight, and (like any change management initiative) there will be some pain and frustration that they experience and voice.

When this inevitably occurs, it’s important to listen. Acknowledge their frustrations and reiterate both the importance of what you’re trying to achieve (to the business and perhaps more importantly, to customers). Then share your appreciation of them trying hard to adopt it. You may wish to build some “flex” into your rules to enable feedback from the team to be considered and implemented where appropriate.

I would recommend getting some influential internal champions on board early. In every organization there are employees who others look to for their opinions. Keep in mind that these individuals aren’t always on the Management Team. Influencing the influencers in your organization can be a very useful strategy in creating a groundswell of support for an ISO27001 initiative.

It’s important that every layer of the organization has bought in. In particular, if you don’t get management buy-in, you will not have a successful implementation. To clarify: you may get certification but you won’t have the true cyber security you seek in practice.

Consider creating a toolkit to enable team members to simply and easily communicate the benefits of ISO and how your company is addressing it. As an example, here’s one Criteria prepared to help our customer-facing employees answer questions about cyber-security for our customers.

People -> Process -> Technology

Too often in my career I see people jump straight to technology as a solution before they fully understand the problem they’re trying to solve. This inevitably leads to failure or a sub-optimal implementation. It’s vital that you get people on board first, then define the policies and processes, followed by the technical solutions. I can’t emphasize this enough. And this sentiment extends beyond ISO implementation, but any business solution.

Celebrate the Success

We’re regularly hearing from our customers (both current and future) how important working with a partner who has ISO certification is to them. It gives them a lot of confidence to know we take security seriously and that we have the highest level of process in place. It’s tremendous for people like me to hear that feedback, as it validates all the hard work that goes into the certification process. But it’s also important to share it across the business so that everyone recognizes the success that comes from their hard work and diligence. ISO can sometimes feel like a dry topic, but it becomes exciting when you find out that it’s been instrumental in clinching a major deal!

With that in mind, celebrate successes as often as they occur. At Criteria, we use our internal chat software, Microsoft Teams. You might have an intranet or an email distribution system that works better for your company. Whatever you use, make sure you frequently share good news and positive feedback across your organization. ISO and cyber security should be seen as an asset to the company, not just something the technical people do. To make sales these days, we can only satisfy our customers if we have a comprehensive security program in place, and that they can trust us with their data.

It’s Worth It

I’m not going to pretend that the road to ISO27001:2013 compliance is not hard work. It absolutely is. There will undoubtedly be potholes that you will need to navigate along the way. Having been through two certification processes in a single year to get our company globally certified, I am now seeing our sales cycle shorten due to customer acceptance of our efforts. Although not every customer accepts our attestations without any further questions, it’s satisfying seeing those that do. And as our cyber maturity grows, I believe this will only increase. This is tangible ROI. Becoming ISO27001:2013 certified has been beneficial company-wide, and Criteria has embraced it as a value generating asset, not a compliance drag.