ISO-27001 - information security management system standard

Information security management system

ISO-27001 is widely known, providing requirements for an information security management system. The development of software products and digital services has changed a lot over the 20 years that our company has existed. We used different ways to improve the development process, introduced the most promising technologies and quality control methods. Even though this brought fruitful results, we are not ready to rest.

The moment you managed to create the best team of technical specialists, tied them into a single and monolithic detachment for solving any technological problems, the time to improve management processes comes. One of the improvement methods that we decided to apply was the construction of an information security management system according to the ISO27001-2013 standard “Information Security Management System ”.

Company’s mission

In addition to the immediate goals and successful outcomes in circumstances of particular projects, we also take care of maintaining our mission: creating the best and most effective digital services for our customers, creating our own services and improving the industry by introducing the best and most advanced technologies. The main product of our business is not software code per se, it is architectural and managerial decisions, expertise and methods for the most efficient construction of digital platforms
We believe that identifying and executing the company’s mission is very important to begin building an information security system. The applicability of the standard in the company and its scope can be determined by correctly organized mission.

Scope

If a business is in the technological field, any consultant or auditor will recommend that the entire company be included in the scope of the ISMS, which makes the implementation process complicated, lengthy and expensive. So this factor usually becomes an obstacle to the implementation of security in processes. We created the architecture that allowed us to include only certain areas in security processes related to decision making and determining the functioning of business processes. This greatly reduced the complexity of the implementation, and our software development process was successfully certified at the end of 2018.

Implementation method

The ISO series standards focus primarily on business continuity. Among managers, it is customary to believe that security processes are needed only to protect material assets, storage media and access control to the office. Usually, for this purpose they create a security department, where there must be people with experience in law enforcement agencies (police or army). As a result they have a department that for reducing the risk of stolen data or office equipment begins to interfere with business development and freeze it.
This method didn’t work well for us. The main value of our company is flexibility and the ability to adapt to any conditions to improve efficiency. That is why we have built a process system that allows us to manage incidents and accidents, investigate causes, prevent their occurrence through the risk management system. In other words to keep business continuity that everyone needs.

So the protection against the data or office equipment theft that we mentioned above, became an addition to a well-built system as a result. This happened by itself during introducing a modern standard, oriented specifically at the prevention of such issues.
Security has become part of our business processes having integrated itself as an invisible part, taken for granted.

Implementation Result

As a result, we got business processes protected in their architecture from the external influences. Duplication of decisions, transparent management processes, simple and understandable instructions “What if …” for any emergency situation. For business, this means an opportunity to concentrate not on micromanagement within the organization and attempts to tie the company together, but on the search for new ways of development and expansion. Security has become the corporate glue that has put together development teams, management and leadership into a single structure. Our method suited perfectly the SCRUM and Kanban methodologies used in company management, because in accordance with the Agile manifesto we focused on the people who work for us, and not on the processes in which people become cogs in the mechanism. Everyone is important to us, that is why with the help of security processes we made, our team was as comfortable as possible, both from a sense of security of their work processes, and from the simplicity of corporate interaction based on the principles of ISO27001-2013.

Future plans

We do not stand still, our business is constantly transforming and improving, so our security system is changing and developing with it. In the future, we not only want to improve our own processes, make them more resistant to threats and simpler and more understandable, but also help our customers and partners to build reliable processes. Now we offer our knowledge and experience because we know how to apply it with minimal risk to a company that needs such knowledge.
Indeed, one of the most important requirements of the ISO27001-2013 standard is the continuous improvement of the implemented system. The most important thing for us is not to stand still.