We recently decided to commit to ISO 27001 compliance. It was something we’d become aware of over the years, but weren’t very familiar with. Now, it’s a significant investment of time and money that we recognise is critical to our success. And we’re not alone – in the last few months industry providers like Cadmore Media and Silverchair have announced ISO 27001 compliance.
So, we thought it would be helpful to share our information security (infosec) journey. What led us here, what is ISO 27001, why we chose it versus other related standards, and how we’re working towards compliance.
We’d also like to thank those of you who shared your own experiences with ISO 27001 with us – especially our friends at Cadmore Media – as this really helped us plan our journey. We’re happy to share the love, so feel free to contact us if you have your own questions.
What led us here?
We received our first infosec questionnaire in 2018, from one of our library clients. Although many of the questions weren’t relevant (it was a template), it was a useful – if painful – exercise to go through as we didn’t have prepared answers. Over the years, as our client base expanded to include global corporations and government departments, the volume and depth of these questionnaires increased. And we started receiving them from publishing clients too, often driven by questions they were getting from their own customers.
We’ve developed a good set of templated answers over the years, but the administrative effort involved in responding to these questions is still significant – each template is in a different format (word, excel, online) and asks slightly different questions, and with a slightly different context i.e. you can’t cut and paste …
The tipping point was two-fold. We’ve started to get questions about compliance with various infosec standards over the last few years and have recognised that compliance provides our clients with the unambiguous seal of credibility that they are looking for. We’ve also realised that compliance would reduce the burden of responding to the regular drumbeat of infosec questionnaires!
What is ISO 27001?
ISO, the International Organization for Standardization, was created in 1947 with the vision of “making lives easier, safer and better”. It’s an independent, non-governmental organization made up of members from the national standards bodies of 172 countries, and has published over 25k international standards covering almost all aspects of technology, management and manufacturing.
ISO 27001 is the international standard for Information Security Management Systems (ISMS). Originally published in 2013, the current version 3 of the standard dates from 2022.
Certification means that an organization has put in place systems to manage risks related to the security of data owned or handled by the organization, and that these systems respect all the best practices and principles enshrined in the International Standard.
Certification also needs to be renewed annually, to ensure that you maintain and develop your ISMS as compliance standards evolve over time. Like puppies, it’s not just for Christmas.
Why choose ISO 27001?
Although other standards and best practices exist, they don’t offer the same level of quality. The American Institute of Certified Public Accountants has a framework for safeguarding data called SOC2 (Service Organization Control 2), but the scope is less comprehensive than ISO 27001 and focused on the USA. Similarly, the US National Institute of Standards and Technology has a Cybersecurity framework (NISTCF), but adoption is voluntary and there is no formal certification of compliance. ISO 27001 is the only comprehensive, internationally-recognised standard.
How are you becoming compliant?
We did a fair amount of research before deciding how to proceed.
One option is to do it yourself – download the standard, determine which parts are relevant to your organisational processes, and work through each one in turn to determine what (if anything) needs to be done to conform to the standard. Fundamentally, an Information Security Management System is a set of systems and processes that reflect best practices in information security – they need to be tailored to each organisation’s context and risks. When you’re ready, you bring in an external assessor to review your compliance and certify that you are compliant.
Another option is to bring in compliance experts to walk you through the process. Like all consultants, your mileage may vary, and we’ve heard horror stories as well as positive experiences.
Ultimately, we decided to partner with expert consultants. In our case, the opportunity cost of tying up internal staff for a longer time was greater than the cost of bringing in consultants. And we valued an independent view on our processes, plus help in developing best practices to meet gaps in compliance.
So, what’s next?
Our compliance journey kicks off later this month with an analysis of our current systems and processes, and culminates next year with an external assessment of our compliance. Our goal is certification by Summer 2025.
We’ll let you know how it goes! And feel free to contact us if you have questions.