Overview
A data consultancy decides to take its management and governance practices to the next level in order to meet the challenges of growth and the accompanying demands of institutional customers. Mature information security practices and ISO 27001 accreditation are part of the plan.
Key Challenges
Establishing an ISMS to achieve ISO 27001 certification, can face many governance challenges for maturing organisations focused on consulting, especially where data’s involved:
- aligning policies, organisational change and customer requirements
- variable risks for systems and data across customer engagements
- operational & HR Risks with a mixed, global workforce
Outcome
An ISO 27001-compliant ISMS was developed to meet many of the unique requirements of a modern, globally distributed consulting firm. They’re now working toward meeting certification requirements.
Challenges in Depth
Policies & Transition
Organisations undergoing change and growth have to revisit their policies and procedures to make sure they’re relevant and useful.
Many companies get going with off-the shelf, templated policies and procedures, often borrowed from past organisations. This can lead to a mish-mash of rules, cobbled together and further complicated by ad hoc response to customer compliance requirements. To compound things, internal policies can often conflict with customers’ policies.
This creates problems for the organisation:
- staff are unclear of what rules to follow
- a culture is created where policies are ignored
- the organisation has a false sense of security
The outcome is liability risks for HR matters and customer engagements. The organisation has no recourse when something goes wrong with information security.
Finally, when it comes time to develop a mature ISMS and get a certification like ISO, it can be difficult to know what’s in, what’s out, what meets certification requirements, and which one of the many ideas and formats to bring forward.
Solutions
To ensure that InfoSec policies are well-suited to the organisation, a review of all policies was performed, not just the information security policies. This ensured that overlaps were clear, gaps identified, and most importantly, that the ISMS development process was coordinated with broader HR and organisational change.
Next, the unique circumstances of data consultancy and the distributed nature of the organisation were accounted for. In addition to many of the standard policies & procedures:
- a Secure Development & Data Engineering Policy was developed to cover the specific work practices
- the Home & Remote Work Policy was created to cover environmental risk
- Secure Engagement Procedures accounted for variability across engagements
Clear and well-suited policies that make sense to your staff create a culture where information security is easy to understand and valued.
Variable risks for systems and data across customer engagements
Managing information security risk can be tricky for consultancies. The customer owns the data and the systems, but the consultancy can be very deeply involved in technology, even managing it for the customer. Data complicates this issue and compounds the risks.
Solutions
With service-oriented organisations, a powerful set of operating standards and procedures take precedence over technical controls to ensure information security at many times.
It’s important to have somebody that understands contracts, outsourced service delivery, and technology development practices. Clearly agreed information security roles and responsibilities in customer engagement contracts are the first step toward establishing consistency.
It’s then important to manage the inconsistencies. A secure engagement policy and procedures along with secure development and data handling procedures ensure that your own people have a baseline for information security.
Most important, though, is communication. Engagement leads and managers are charged with clearly communicating risks to customers, and everybody else is charged with knowing the rules and speaking up when the inevitable risky situation emerges.
Accepting this variability across engagements and taking it head-on is the key to ensuring information security. Rather than administrative overhead, it becomes part of your culture and product offering.
Managing Operational & HR Risks with a mixed, global workforce
Having a successful ISMS means ensuring that people, processes and technology are all working together to achieve its goals. The ISO 27001 standard has many people & HR-specific requirements, and the ISO 27002 guidance can help to some degree, but even the latest (2022) updates to both can be unhelpful when trying to define the scope of a consultancy, let alone one with a global workforce and mixed environment of employees and contractors.
Take the requirement for security training.
- what training, and how much?
- whose responsibility is it?
- how does HR fit in with subcontractors?
Ensuring your organisation is working securely no matter the circumstances is important. Matching your own organisation’s needs and practices with a standard that’s short on details can be daunting.
Solutions
The key to managing a variable workforce and ensuring information security is to normalise your practice at the highest level of governance requirements. It reduces overhead for you and confusion for the organisation.
For instance, having a policy that covers home working, travel, and temporary/shared spaces as a baseline extends the zero-trust philosophy to the physical environment.
Enacting policies and procedures to ensure that vendors and contractors are meeting established requirements is also important. Managing this process alongside normal operations rather than as a separate security and IT silo, ensures continuous compliance and reduces administrative overhead by distributing it across teams.
Industry standards are good starting point, but your organisation has the best information to set its security requirements.