This is a guest post by Chris Rogan from Unleashed
From ISO 9001 to ISO 27001 … and beyond
I’ve known Shaun at Capable People for many years, in a past life, I was lucky enough to be trained as a lead auditor in a number of standards and have kept in touch ever since. When we recently caught up, he asked whether I’d write a guest post and I jumped at the chance.
Like Shaun, I’m also a rather prolific blogger over at my company, Unleashed. One of the many things that interest me is the use of IT in the successful standardisation, implementation and ongoing improvement of business processes.
Around the time I was trained to be a Lead Auditor by Shaun, I was an IT Manager of a highly successful Nuclear Construction business at Sellafield. My role evolved – fusing what I knew about IT with Management standards, we accelerated a programme that achieved triple ISO accreditation for the business in ISO 9001, ISO 14001 and OHSAS 18001.
How IT can help ISO standards
My first experiences of businesses working with ISO 9001 were in a glazing factory, the work was very much paper based. The system was, of course not mine. It was cumbersome, funded by the old Business Links and EU grants and really wasn’t followed. The ideal was to eventually go for kite marking of glazed units, which never quite moved forward.
The systems I developed were all based on the fact that we’d invested in ERP tools. Don’t let the Three Letter Acronym (TLA!) worry you, what ERP stands for is less important than what it does. Imagine if you had one piece of software in your organisation that managed your accounts, your production scheduling, deliveries, resources (both human and other) and payroll.
We essentially had one integrated piece of IT that the standards could be written to, and tools such as Microsoft SharePoint covered issues that the ERP couldn’t hoover up. It was no wonder that for a 300 employee origination we achieved accreditation in less than 12 months.
How ISO standards now help IT
I recently implemented an ISO 27001 for Information Security Management – at my old employer no less. It’s a relative no-brainer that in the nuclear sector, you’ll need this level of management standard to even just tender for work and show the supply-chain you’re serious about confidentiality.
My take on 27001 though, is still very much from the practical side of the implementation – the actual IT controls that you need to build in order to successfully implement the ISO 27001 standard and achieve successful accreditation.
Working in a responsive business is frustration as an IT department, quite often we didn’t get notice of leavers and starters – I even got ‘attitude’ when I asked what people were starting as, even though I needed to know for setting up security permissions.
ISO 27001 in many respects allows you to professionalise your IT and make things more professional and brings in specific controls that require discipline to be enforced inside the company that smooth along the IT operations.
ISO 27001 and the developing cyber security standards
You’re probably reading this thinking that you don’t need anything, your IT contractor or your IT department takes care of this. However, as an owner or director you have both a fiduciary and legal duty to take care of the information you hold.
Legislation such as the Data Protection Act means that if you work with personal data then you have to take necessary, reasonable steps to protect it and it’s not the IT guys or IT company who are liable. It’s you.
Now, I don’t say this to scare you – it’s a new fact of life. Everyone talks about cyber warfare, Russian crime syndicates and all sorts of other global issues that don’t seem to affect SME’s in Blighty.
I remember the first time I was hacked. The servers that I had built with my own fair hands became a dumping ground for an Italian hacker who used our ISDN connection (yes it was a while ago) to get into our server and set up a file sharing site. We had a lot of PlayStation games, Italian movies and dubious quality porn.
I quickly deleted two thirds of that, and patched up the problem, (Microsoft’s fault, not mine). But it was a stark reminder that the risk is real, has been there for a long time, and the only reason I noticed the problem was because the hacker had filled up our hard drive to the point where the backup tapes were full.
More recently I’ve been involved in helping out with cases of bank fraud, employees steeling company data and worse. You’ve probably already been compromised but the hackers have been relatively benign and your awareness will only be raised when one of your employees experiences a bank fraud and investigations eventually lead back to the employers databases.
It’s fair also to say that the Information Commissioner recently has not only developed teeth, but also fangs especially for those who don’t take basic steps for Cyber Security. Fines have been largely growing in nature and are probably at the point where they could kill off an SME.
The standards mean you don’t need to be a geek to know the right questions are being asked, the whole point of ISO 27001 means that information security becomes a part and routine of what you do. If you don’t want to go that far, the government is starting to push Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials Plus is also eventually going to find some integration with ISO 27001. Word from those in the know is that these standards are going to become prerequisites for any public sector supply-chain work.
Moving forward, businesses that have been proactive about adopting these standards, like those who adopted 9001, 14001 and 18001 early received the benefit of kudos, being the safe pair of hands and ultimately being able to prequalify for work where others couldn’t. The same will undoubtedly occur for Information Security.
If you want to learn more about the issues discussed in this blog, Chris Rogan can be contacted at Unleashed www.weareunleashed.com