Many readers of this blog asked me to present a real-life experience of ISO 27001 implementation in a company. Since I would be too subjective if I started writing my own impressions, I decided to interview my clients – Dragomir Perica and Ivancica Ljubic from Dabar informatika d.o.o., a company specialized in banking software development, with presence in South East Europe.
Q: Why did you start the ISO 27001 project?
A: The first reason is because the Croatian National Bank (regulator of the banking market) required us to do it – to comply with the best security standards. The second reason is that we wanted to do it because it makes perfect sense in our case – we wanted to brush up things in our company. For example, among other things, we are promoting security features to our clients, so it is important for us to act in the same fashion; besides, our IT personnel needs to perform a lot of tasks, so it is important to define rules to avoid the situations where big problems could occur.
Q: What were you most afraid of when you started the project?
A: How much time it would take, how much the existing system would be useable, and overhead. Regarding the time, we were afraid of how much time our team would need to invest in such an implementation, and how much time we (the top management) would need to spend on it. We were also afraid of the gaps we would find between what we have already developed against what the standard requires. Maybe the greatest concern was that the standard requires quite a few documents, so the challenge was how to align those documents with our way of doing business, without getting new and unnecessary tasks – we had this negative experience with ISO 9001 implementation, where we had to write some documents because of the standard itself, with no practical use.
Q: So did ISO 27001 bring you the overhead?
A: No, or to be more precise – the overhead is considerably lower than with ISO 9001. In the case of ISO 27001 we have managed to avoid it because we have set the processes and the documentation in a useful way.
Q: What were the greatest problems in the ISO 27001 implementation?
A: Not knowing the scope of what ISO 27001 really requires – what we were expected to do; or in other words – we didn’t know whether we were going to build a skyscraper, or a small family house. We also didn’t expect the theoretical approach required for the risk assessment, we lost quite a lot of time on it – until then we always dealt with the practical things, we never had to consider security on a conceptual level. As a consequence, in the beginning we didn’t do the risk assessment right.
Q: Why didn’t the risk assessment start well?
A: Not to go into details, let’s just say that we (the top management) didn’t pay enough attention to it – obviously, such a process couldn’t be done without our direct involvement because we were the only ones with a broader picture of the company, and we could make some crucial decisions.
Actually, we feel the whole project started moving much more smoothly after we started investing more time into it. Besides, during the project we understood that it really doesn’t make sense to skip the steps you suggested to us – e.g. it doesn’t make sense to implement controls before the risk assessment is done properly. We realized this after we skipped some steps and lost sight of the process.
Q: Do you think it would be better to let a consultant write the whole documentation, or should the company’s employees run the project and write the documentation themselves?
A: An outsider – a consultant or anyone else – cannot do it. Because then such documentation would be only superficial and we would never start living with it. Someone from the outside cannot know precisely how things work in a company, what is good and what is bad.
Although, since we had no experience in such a project, we wouldn’t be able to finish it without outside help – we liked your approach where you were guiding us through all the steps, and it was us who managed the project and the documentation. It was a good experience to have someone with a fresh eye to help us fill in all the gaps.
Q: What was the greatest surprise in the project?
A: Actually, there was none – we knew we had to formalize our system and that is what we have done.
Q: Which part of the project required the largest investment?
A: Involvement of the top management. We had to invest some time into this project, which means we had to postpone some other activities; on the other hand, if we hadn’t got involved, the project would have lasted much longer and therefore the cost would have been even higher. The investment in an alternative/backup location would have been the greatest, but since we already did it 2 years ago, almost no new equipment was needed for this project.
Q: What is your greatest challenge now that the implementation project is finished?
A: Having to live with this system. For example, we have 5 new young employees, who have no experience in security – we have to teach them to operate according to the standard. And that is difficult – it is much easier to explain it to someone with 20 years of experience, but when young people need to start working with all these documents, it is a great challenge that they do not experience it as a prison sentence.
Q: How to achieve that?
A: Continuing training. They will eventually become very good – after 6 months they will know it as well, if not better, than people who have worked with these documents for 15 years. They will learn how to work properly, but it takes quite a lot of time.
Q: When you draw the line, do you think ISO 27001 implementation has paid off?
A: Definitely. It has paid off because we found our own mistakes and corrected them. We are now much more satisfied with ourselves and with the work we do. Also, we have regular audits from our clients (banks) – when they come, we have nothing to be afraid of. A real stress relief.
You can see one more real-life implementation case in this white paper: ISO 27001 Case study for data centers.