ISO-27001 - information security management system standard

Information Security Management System

ISO-27001 is widely known for providing requirements for information security management systems. 

The development of software products and digital services has changed a lot over the 20 years of our company’s existence. We’ve used different ways to improve the development process and introduced the most promising technologies and quality control methods. Even though this brought fruitful results, we are not ready to stop.

The moment you manage to team up the best technical specialists, unite them into a single and monolithic department for solving any technological problems, it’s time to improve management processes. One of the improvement methods that we decided to apply was the construction of a system according to the ISO27001-2013 standard “Information Security Management System”.

Company’s Mission

In addition to the direct goals and successful results in the context of particular projects, we also take care of maintaining our mission: creating the best and most effective digital services for our customers, creating our own services, and improving the industry by introducing the best and most advanced technologies. The main product of our business is not a software code per se; it is architectural and managerial decisions, expertise, and methods for the most efficient construction of digital platforms.

We believe that identifying and executing the company’s mission is very important for building an information security system. The applicability of the standard in the company and its scope can be determined by a correctly organized mission.

Scope

If a business is in the technological field, any consultant or auditor will recommend that the entire company be included in the scope of the ISMS, which makes the implementation process complicated, lengthy, and expensive. These factors usually become an obstacle to the implementation of security in processes. We created the architecture that allowed us to include only certain areas in security processes related to decision making and defining the functioning of business processes. This greatly reduced the complexity of the implementation. This software development process was successfully certified.

Implementation Method

The ISO series standards focus primarily on business continuity. Among managers, there is a tendency to believe that security processes are needed only to protect material assets, storage media, and control access to the office. For these purposes, a company usually creates a security department with people experienced in law enforcement (police or army). As a result, they have a department that interferes with business development (or even freezes it) in order to reduce the risk of data or office equipment being stolen.

This method didn’t work well for us as the main value in our company is flexibility and the ability to adapt to any conditions to improve efficiency. That is why we have built a risk management system that allows us to manage incidents and accidents, investigate causes, and prevent their occurrence. In other words, it allows keeping business continuity that everyone needs.

Thus, the protection against theft of data or office equipment that we mentioned above, became an addition to a well-built system. This happened all by itself with an introduction of a modern standard, specifically focused on the prevention of such issues.

Security has become a part of our business processes having integrated itself as an invisible part, taken for granted.

Implementation Result

As a result, we got business processes protected in their architecture from external influences. Duplication of decisions, transparent management processes, simple and understandable instructions “What to do if …” for any emergency. For business, this means an opportunity to concentrate not on micromanagement within the organization and attempts to tie the company together, but on finding new ways to grow and expand. Security has become the corporate glue that has put together development teams, management, and leadership into a single structure. 

Our method suits perfectly the SCRUM and Kanban methodologies used in company management. In accordance with the Agile manifesto, we focus on the people who work for us, rather than the processes in which people become cogs in the mechanism. Everyone is important to us, that is why with the help of security processes we made, our team feels as comfortable as possible, both in terms of security of their work processes and due to the simplicity of corporate interaction based on the principles of ISO27001-2013.

Future Plans

We do not stand still, our business is constantly transforming and improving, so our security system is changing and developing with it. In the future, we not only want to improve our own processes, make them simpler, more resistant to threats, and more understandable, but also eager to help our customers and partners to build reliable processes. We offer our knowledge and experience, we know exactly how to apply it with minimal risk for a company that needs such knowledge.

Indeed, one of the most important requirements of the ISO27001-2013 standard is the continuous improvement of the implemented system. The most important thing for us is not to stand still.