Surevine is currently pursuing ISO27001 certification; a few years ago I would have been faintly dismissive of that, my understanding coloured by successive readings of BS7799, BS17799 and the Site Security Handbook, in each of them (except perhaps the latter) finding little to benefit how I / my organisations work.
Now… I would not say that I have turned around, but I will say that “it depends”.
I’ve stopped looking at ISO27001 as a prescriptive and faintly annoying checklist of weak security requirements and instead I now look at it both as a system and as a jolly good excuse to get your own house in order – to lay down some good security policy, share it with all the staff, and get it adopted.
There is no point in policy unless it is adopted. “Adhered to” is fine, but adopted – to have people understand what you/everyone is trying to achieve – is better.
So it’s been back to square one on the security policy, pulling together that which is fragmented, deleting that which is dated, irrelevant, insane or contradictory, and cleaning up the whole so it’s digestible.
And then there is accessibility. And making it fun. That’s a creative bit, so I get to do videos to aid digestion.
That’s not to say that some bits of 27k1 aren’t potty – there’s a mandatory purchasing policy and process which in Surevine’s case essentially reduces to:
- when we identify that we need something
- we look for vendors who might satisfy that need
- then we look for vendor’s things which will satisfy that need
- then we pick one of those
- then we buy it
…and this must be documented.
So that we know how to do it.
Mmm… yep.
But amongst the other things that must be documented so that we know how to do them are things that we get to pick, that are important to us – like:
- how we work (largely from home)
- how we deal with printed documents (don’t print anything)
- when to install security updates on laptops (daily, because we really care about that)
– and at the end of this documenting process you’ve created a pretty good set of policies which you can then get certified… or, rather, that you have a jolly good excuse to review at least yearly.
What I knew already is that having ISO27001 does not mean that a company is in any way competent to make or do security; the big realisation is that if if a company actually does care about security and about doing it correctly / sanely / somewhat measurably, then it’s not a bad framework to travel from domestic chaos to a fairly clear set of DO’s, DON’Ts, MUSTs and HOWTOs.
Which is what we want.
Written by: Alec Muffett
