Our agile journey towards a fancy ISMS - Part 3

We, Avisi, have started an agile journey. A journey with one destination: a fancy ISMS for Avisi. I gladly take you along on our trip, by blogging about the adventures we've been through. So fasten your seatbelt, we will travel through a roadmap to remember.

Meet our fellow traveler

In my previous blogpost I mentioned we succeeded in choosing our fellow traveler. Now, I can gladly tell you that Bjorn van der Schaaf from Insite Security supports us along our trip. He is both an advisor in ISMS implementations as well as an IT auditor, which means he knows how to combine knowledge and experience from both sides of the medallion.

I also talked to some of Insite Security's references as Reggefiber and ondertekenen.nl. Insite Security has helped them to develop and implement an ISMS towards the ISO 27001 certification. The references were very enthusiastic, helpful and open about their experiences with Insite Security. They are satisfied about the collaboration and their contribution, their specific knowledge and their no-nonsense attitude. Their positive experiences matched with the requirements we have regarding an advisor. We therefore choose Insite Security as a partner during our journey.

Delighted about our excursions

As said earlier, we have planned several activities or 'excursions' which will help us move forward step by step. During the first excursion, Bjorn has met our management team. We introduced ourselves and illustrated some more about who Avisi is, how we work, what products and services we offer and what business philosophy we pursue. And among others, we discussed the applicability of our ISMS. Are we going 'all in' or do we start small with some business units and grow, let's say, every year? An interesting discussion with both their pros and cons. Later more about this.

The second excursion is all about getting to know our company. Therefore, I arranged some interviews with Bjorn and some of my colleagues from different project teams. The questions focused mainly on what customer the specific team is serving, about current agreements with the customer, what data we are processing for our customer, whether we use production data in our testing process (hell no!), what suppliers the team depends on in delivering their product or service, etc. This excursion resulted into a clear view of the Avisi teams, the degree of security awareness and how security related issues and actions are handled currently.

Next thing we decided is to start with risk analyses for a couple of our project teams. When finished, we will compare the results of the risk analyses which will give us new input on how we should proceed our journey. The risk analysis will be guided by Bjorn and a colleague who is an experienced guide in risk assessments. They monitor the process while we deliver the content. I am looking forward to it!

In short, the excursions we planned so far are the following:

1. Introduction with our management team
2. Avisi lunch meeting
3. Interviews with colleagues
4. Risk analysis sessions

Let's make a stop for a lunch meeting

The lunch meeting I mentioned before - to inform all Avisi employees about the development of our ISMS - was a great success. It was good to see that almost everybody in our office was present, including our management. I will now show you in a nutshell how we informed everyone about our ISMS. I discussed the ISMS step by step by using the following topics:

What

What is an ISMS? What does it stand for? I explained the term Information Security Management System and how we use ISO 27001 as our guide in developing the ISMS. Most important message in this part is that we are mainly focusing on bringing Avisi's internal security awareness to the next level, rather than having the ISO 27001 certificate. Of course that is important as well, but we consider our inner growth as more important than obtaining the label. Obviously, when we are fully set with our ISMS, the ISO 27001 certificate will be the icing on our cake. Also, I showed them that we will not bore anyone with jargon as ISO 27001, Information Security Management System (Lord have mercy), etc. and that's why we spiced up the ISMS concept.

Within Avisi, ISMS stands for "Ik Scoor Met Safety" (in English this would be "I Score With Safety"). We also created a catchy visualisation using a safety car to support our message:

^{Image by BMWBLOG.com}

Safety cars are a perfect metaphor. The main activity in car races involves high speeding and unfortunately it can go wrong due to crashes that might occur. Safety is therefore very important when it comes to car racing. This is similar to IT: we do our best to protect our main activity and we take measures to avoid incidents as good as possible, but when they do occur, we want to be ready to take appropriate actions. Same as in car races! When everything is okay and the race is on, the safety car is present, but not prominently in sight. But when an incident occurs, the safety car is on track within no time and guides the race at a lower speed until other parties have solved the issue. When cleared, proceeding the race will be safe again and the safety car leaves the track.

Why

Why do we want this and why is now the time? We see information security as an integral part of our daily work. We know we take good care of information, but now we would like to prove it. An ISMS will enrich us internally, which leads to trust externally. We want to show everyone that we score with safety!

Who

Who does it affect? It affects everyone at Avisi. We're all already pretty busy, so extra work or boring presentations aren't on our wish list. And that's why we emphasize on everyone's input. Are you not satisfied? Speak out! Then we can do something about it. Do you have any ideas? Speak out! We need your input. All feedback is welcome.

When

When do we start and what activities come with it? We started in March 2016 and we foresee that development and implementation of our ISMS will take this whole year. Quality beats velocity. We're sure that in December we'll look back and be proud of what we accomplished as a company.

How

How does this affect us individually, in concrete terms? How does it work? I showed some specific examples of how daily work might get affected by the ISMS. This is company dependent, since we are free to choose our safeguards. These are some simple examples:

• Wipe out whiteboards after every use;
• Make responsibilities explicit;
• Document your work;
• Encrypt sensitive or secret data;
• End web application sessions after a certain amount of minutes;
• Use the four-eyes principle before pushing code to the master branch (preferably, use six eyes or more).

Lessons learned

What did I learn? Well most important thing I've discovered is that I get energized most by making people around me excited about the project, which in turn has a positive effect on the project itself. So take that extra effort to make things more attractive and understandable, show that you know about how people daily work and make concerns discussable. This gives your project a boost. I really much enjoyed doing the lunch meeting and this is just the beginning. Stay tuned, and in the meantime... Have you scored yet?

This is part 3 of the series. Below you can navigate to the other parts:

• Part 1
• Part 2
• Part 2 -IOS
• Part 4