Why Did We Get ISO 27001 Certified?
"Others Avoid It, We Said “Challenge Accepted”
From the beginning, Tugboat Logic’s goal has been to demystify the complexities of information security. While no one enjoys being audited, this inevitability is what fuels us to constantly improve upon our product. So while we didn’t have an external party requiring us to get ISO 27001 certified, we decided to challenge ourselves. For those of you who have gone through an audit yourself, you may be asking yourself “why would you want to go through an audit unnecessarily?” Here’s why …
- This is us wanting to be better. We always strive to demonstrate to the world that we take security seriously. And what better way than putting Tugboat Logic through one of the more demanding audit processes? We say “bring it on!”
- We are always making improvements to our product and ISO 27001 is one of the areas we have been working on. We wanted to test out our own product and experience the process as a customer would. So what better way to do this than get the ISO 27001 certification with our own tool?
So here’s a look at what the ISO 27001 is about, what makes it so grueling, and what we learned through our own experience.
What is ISO 27001 certification and why it matters
The ISO 27001 certification is an independent, expert assessment that demonstrates a mature security program and a commitment to keeping the data an organization manages secure. The ISO 27001 certification ensures that we have a system in place to manage security risks with clearly documented processes that help us continually improve.
What are some of the challenges when obtaining this certification?
Putting together your ISMS
In order to understand what makes the ISO 27001 so difficult, we must first understand the concept of ISMS. ISMS stands for Information Security Management System and is a systematic approach consisting of processes, technology and people that helps you protect and manage your organization’s information through effective risk management.
In other words, it’s the documentation of every single process in your entire organization that relates to information collected! For this reason, the dependencies between your ISMS and company-wide functions are a beast. You have a lot of moving pieces that need to be highly documented and understood in your organization.
How everything ties together is important
It’s one thing to catch a security issue and fix it, and then another entirely to catch the issue, document it, and show the process and steps that were taken to fix it and prevent it from happening in the future. For example, you may be doing backups because it’s the right thing to do, but how does that tie to the overall security posture of the organization? Is the frequency of the backups the right one? There is a thought process behind it and that’s not always analyzed, documented and formalized. This is what makes it so difficult.
Additionally, for a smaller organization, you may be doing a lot of the things that are required, but you may not have the documentation and the proof to demonstrate it and show the thought process behind it.
How is ISO 27001 different from other audits like SOC 2?
ISO 27001 is very procedural and documentation is extremely important. The processes of how you respond and react to certain things needs to be tight and clearly mapped out. SOC 2 audits, on the other hand, are very tactical and focused on the controls you have in place and demonstrating how they are operating.
A better way of understanding the difference is by looking at the scopes of these audits. The scope of SOC 2 is focused on your product and all the information that flows in and out through it – so controls and policies are looked at extensively. ISO 27001, in contrast, is more strategic – it’s looking at how you manage the organization in a secure way. Additionally, the scope is wider – it’s touching every aspect of your organization. It includes things like all the applications you’re using, how email is used, where contracts are stored, etc.
What did we learn?
We went into this knowing it would be arduous, and we weren’t wrong. We did, however, get some key takeaways:
A clear scope is the key to success The Tugboat Logic Platform makes a very detailed and complicated process much easier to manage and navigate. We’re not perfect, but we are always making improvements. Tugboat Logic helps provide you with a clear action plan through templates created by our in-house industry experts. These templates offer scope documentation and provide guidance in order to build out your own ISMS successfully.
Focus on your ISMS The hardest part is setting up and documenting your ISMS in a way that is managed and can be presented to an auditor. Again, this is where we found our platform to be invaluable. Rather than rely on a laundry list of applications, our platform allows you to manage all the details expected of you in order to achieve your ISO 27001 certification. This includes things like:
- Document version control
- Documenting action items and follow ups
- If there’s a security problem, you need to show that you have a process set up. Analyzing the issues, finding the root cause, and then feeding it back into your ISMS
- Level of security
- Information on Employees, Shareholders, Customers, etc
Make sure your InfoSec Program is continuously compliant This is probably our biggest takeaway. Remember how we said setting up your ISMS is the hardest part? What made this 1000 times easier in that we had our InfoSec Program already mapped out to our products and services through the Tugboat Logic Platform. With our controls and policies mapped out, we know we are always continuously compliant. Being continuously compliant is another way of saying always audit-ready. And when you are always audit-ready, you can confidently accept the challenge of arduous audits like the ISO 27001 certification.