Our agile journey towards a fancy ISMS - Part 1

We, Avisi, have started an agile journey. A journey with one destination: a fancy ISMS for Avisi. I gladly take you along on our trip, by blogging about the adventures we've been through. So fasten your seatbelt securely, we will travel through a roadmap to remember.

What is an ISMS?

ISMS stands for Information Security Management System and its purpose is to offer a solid foundation which consists of organization's main policies (where I prefer to call it principles, rather than policies) when it comes to securing information.

These principles are extracted from the business philosophy and business processes. The next step is to verify measures that correspond with both the principles, as the daily workflows. It is important to use a bottom-up method in determining measures, because full acceptance starts with belief and approval of employees. Furthermore, a good ISMS is not a 'system' as in the traditional meaning of it with input leading to output. No, it's more like a cycle, a neverending story in improving the security of an important company asset: information.

Why would we start now?

Information security is and will be a hot topic, since cyber attacks increase and become more and more sophisticated. We live in an era where everyone and everything is online. The Internet is world full of hidden treasures, so why not try to obtain a treasure to use it in our own advantage? Think about companies storing their critical business information online. Devices which contain sensitive information about your behaviour are online. You and I store personal information online. Privacy sensitive information, such as banking accounts, passwords, and social security numbers, are stored at databases all over the world.

As Avisi, we take information security very serious and we know that - at this very moment - our data and data of our customers is transferred and kept as safe as possible. But how do we ensure that others know this as well? On the other hand, we are ready for the next level in professionalizing our company, which provides us with more structure, control, and continuous improvement. Since security awareness keeps on growing, I also believe that within a couple of years, having a proven effective ISMS will be a deciding factor in gaining new contracts. We know we take proper care of our assets, so now it's time to make this more explicit in building and implementing an ISMS together. Thus, our time is now - or actually two months ago - to evaluate and refine our security measures in a way that's proven, standardized, and internationally accepted.

ISO27001 & ISO27002 as our guide

Along our way in discovering our wishes and goals we decided to use the structure provided by the ISO-standards in information security (ISO27001 and ISO27002). The difference between the two standards is that you can get certified for ISO27001, which contains the values where we have to live up to and ISO27002 provides an elaboration of ISO27001, containing best practices. In our journey, we use ISO27002 as our guide. Our main goal is to implement a fancy ISMS, which fits our company and every person in it best. When completed, we have a second goal which we see as a logical next step and as a crown on our achievement: to obtain the ISO27001 certificate. But before we're at that point, I'll show you what places we have been to in discovering our goals.

Phases in agreeing on our destination

The steps we have taken so far:

1. Inventory phase: collect as much information as you can about ISMS's and ISO27001:
   1. Talk with management about their wishes and expectations.
   2. Talk with colleagues to discover their attitude towards it.
   3. Talk with people of other organizations who are ISO27001 certified - thus have a working ISMS.
   4. Read about how to successfully implement an ISMS.
   5. Invite several consultants who support companies in implementing the ISO27001 standard to gain information about the steps in the implementing process.
   6. Buy ISO27001 (the main document) and ISO27002 (best practice) and read them thoroughly.
2. Interpretation phase: now you have collected a stunning amount of knowledge, it's time to aggregate it and compare it to the current state of the company. This allows you to make a gap-analysis and propose different ways of getting to our goal.
3. Expectation management phase: make sure you inform management and plan a meeting together. At the end of the meeting you all promise commitment on a common goal (very important!) and plan activities that can be scheduled in the upcoming sprint.

Difficulties and lessons learned so far

The distance we have traveled so far is a learning experience. I have some tips for you, derived from the difficulties I have encountered:

1. Enforce the management team to unanimously agree on a common goal.
2. Putting an agile company in an ISO-standard: this sounds quite weird, but it is possible as long as your measures are originated and supported by your employees. A principle should be derived from the business philosophy, which lives among your employees.
3. Scoping of our company. What departments does the ISMS affect? What about our testing department? What about our research and development department? The answer to the first question is to not be afraid of the ISMS and what it may or may not change. You come up with measures and controls for currently used workflows, so you are in control of the extent of change and the acceptance of it.
4. Making information security a part of our daily job is the key to a successful ISMS, instead of approaching information security as an extra task. Tasks concerning information security should be integrated in existing workflows.
5. Don't put hours and hours in writing a proposal. Talk to the people you are writing for and check several times whether you are assigning the right things for them to make a proper decision.

Ok, now we came to the end of the first part. Did this first stop on our agile journey make you hungry for more or would you like to share your story with me? Please keep up with this blog or feel free to contact me. I would be happy to talk to you.

Until next time!

This is part 1 of the series. Below you can navigate to the other parts:

• Part 2
• Part 2 -IOS
• Part 3
• Part 4