Embarking on the journey to ISO 27001 certification can be a daunting task for some organizations. Although it is not an easy journey, getting certified is today necessary and beneficial -- for starters, it shows your investors, stakeholders, partners, and customers that you care about the safety of their data and privacy.
While you make plans to start on getting certified, join Horangi's Director of Cyber Operations, Mark Fuentes, and Adi, Senior Head of Cyber Operations Indonesia, as they address some common misconceptions and concerns about getting ISO 27001 certified, and even provide a protip to ease your first steps!
Listen on Spotify, and subscribe to the podcast to be notified of future episodes:
ConnectConnect with Horangi’s cybersecurity experts if you need more information about complying with ISO 27001.
Mark
Today, we want to talk about ISO 27001ISO 27001. It's something Adi and I handle a lot in our day-to-day business. We just want to go over some of the things that we run into with our clients, some of the things our clients throw in us as well. So hopefully, you guys will get a little bit of enlightenment from this session. So as we open it up, I just like to start at the very, very beginning. Why don't you let everyone know what is ISO 27001 and what's it all about?
Adi
Yeah, I think everyone can see there's a lot of references for ISO 27001. I won't go into depth about the structure and everything. But I think in summary, it is the best practice standard of Information Security Management System, published jointly by the International Organization for Standardization (ISO) and also the International Electronics Commission (IEC) initially in 2005. And then the newest one is actually the version of 2013.
Mark
So everybody knows we don't know that off the top of our heads; we wrote it down. I always forget what ISO actually means and what IEC means. So good on you for getting all of that out, appreciate it. So please go on. I'm sorry to cut you off there.
Adi
No worries. So I think we also elaborate that the ISO framework itself has a family of its own. So there is ISO 27000, the basic one, the overview and vocab, and also the requirements. This is the most famous one, ISO 27001, the requirementsrequirements and specifications. And then there are guidelines in 27002, and the list goes on.
There are standards for network security, application security, cloud security, health (industry), and everything. So it's quite a lot. And I think our podcast will not have enough time to address all of this. Yeah, but the characteristic, as the name suggests, is covering the information security management systems. And the standard is quite general, I think it is aimed to secure information assets in all forms like paper-based, digital assets as well. And it is also applicable to like all premises, like maybe in the cloud, on-prem, or even like physical place. And also it's technology, and vendor agnostic. So whatever technology whatever vendor that you use, it can be applied.
Mark
He should use HorangiHorangi, though, right?
Adi
Yeah, that is a good addition.
Adi
It's also like one of the most pursued standards, best practices, or standards or certifications in the world. Based on (publication from) IT Governance in the UK there has been 450% growth in the past 10 years for (pursuing) this certification.
Mark
Why do you think that is?
Adi
Well, I think globally, I think one of the references is ISO can be the starting point for other more complex best security practices or standards. like PCI DSSPCI DSS or the GDPRGDPR. So it's kind of like a starting point or jumpstarts for baseline, right?
Mark
I wouldn't say easy to do. It's not easy. But I would say that in our experience, it's the easiest to comply with. When you read the standard itself, it's not too hard to understand the language. It's easy to interpret the language into actual implementation. The controls are quite simple. And I think that's why it's so widely adopted around the world. It basically covers anything you would have to worry about when you talk about information security management.
What do you see mostly in our customers? What are we dealing with mostly? Are you seeing yourself deal with a lot of paper-based information? Do you see a lot of cloud? Do you see a lot of on-prem? What's the most common configuration that you see in our customers?
Adi
It really depends on the type of client or customer, to be honest. So basically, if we see more traditional, or conventional industries, like traditional banking, for example. And also like traditional companies, maybe factories. So it's the asset, like more paper-based. But even the traditional companies are switching or transitioning to the cloud as well. It really depends. Currently, the trend is going toward the digital and also the cloud.
Mark
Now, for the people listening in, why does anyone care? Why would anyone want to get this thing? What's in it for them?
Adi
I think for the first one, as we talked about before, it is the starting point for compliancecompliance. That's the first thing that's important. The next point, especially for a startupstartup, or a technology company. I think it's quite related to investment. So a number of like venture capitals, for example. want to see a company that is trying to comply or at least have a plan to comply with the cybersecurity best practices before maybe providing some funding. Not necessarily certification but if the company already started to plan or started the journey to the ISO 27001, I think it's really a value add for the company itself.
Mark
I see that a lot as well. When I talked to investors, basically from their perspective, this company that I'm investing in is largely digital. Their bread and butter is information. So I want to know that the millions of dollars I'm giving these guys aren’t going to be wasted when they get hit by a hack or a breach in the first year. I want these leaders that I'm entrusting this money to, I want them to be thinking about protecting my assetsprotecting my assets. Because it's all my money. So yeah, I definitely see that as well. I see a lot of customers that come to us and say, hey, my VC told me I gotta get ISO 27001, and I don't know what that is. I definitely see that a lot. That's definitely a big one.
Do you have any others that you can think of?
Adi
To add more to that: As you stated, investors already see cybersecurity as one critical business failure, because this is something that they see as well. And then also investment disclosure, and some kind of vulnerable period of for the startup company itself, right? Or the company has some of these findings, so maybe this is worth attacking. This is something that should be highlighted by the company itself.
I think the next point is about the competitive advantage like positive image and message. The ISO itself demonstrates a commitment to information security. So it shows the customer or the client that the business or company cares about security, privacy, and everything. It shows that our business, our company, cares about security, and it will be transmitted to suppliers, partners, or business partners and their stakeholders as well. And the employee as well.
Mark
I'm seeing a lot of normal people now. Just the normal every day, John or Jane, they care about their data. They care about like should I be giving information to this company? Or that company? Yeah, what are they using for? Is it going to get lost? Is it going to get stolen?
In most cases it's very good for you if you're a business and you don't have competitors, right? If you decided on a business model, where you don't have to worry about other guys trying to take your market share. But that's very rare, right? Most companies have competitors. And you want that competitive advantage because someone goes to the market, and they say, they want to look at your company and another company. And let's say your company has gotten breached twice in the last 6 years, and the other one hasn't or it already has ISO 27001 certifications. Most definitely they're going to go to that other one.
A lot of people don't believe me when I say it's a competitive advantage. But it totally is. When people go to the market to shop for things, cybersecurity is definitely something they look for at this point. So you're definitely right on the ISO 27001 as a competitive advantage.
Adi
We didn't say that the ISO itself automatically 100% secures your organization and everything. Yes, we still need beyond that, but it shows commitment like I said. We have a plan to secure everything, but to actually secure your asset, customer data, and everything, we need more beyond that. Basically,
Mark
Actually, that's a great point.
People say, oh if I get ISO 27001, I'm not going to get hacked. That's crazy. That's not the way this works. All you're doing is you're committing to a better level of security, not absolute security. There's no such thing. And so that brings me to my next question. That being one of the great misconceptions of ISO 27001, what are some other misconceptions that you see from our customers? Like, when they come in, they want to get ISO or they want you to help them get ISO certified? What are their misunderstandings? What are the ones that you see as the top ones?
Adi
I think one of the most things that I observe is the feeling of being afraid. Looking at the level of readiness, for example, they are quite aware of their level of maturity. And then after that, they kind of like see the huge gap between towards the ISO certification itself. So Will I ever be ready? It's like...
Mark
A giant mountain and they don't want to climb it right? Because it seems so impossible.
Adi
Yeah. It turns out that pursuing the ISO is not that scary, you know, I mean, there is a lot of parameters we can tweak to make this journey possible. For example, the scope, right? So let's say that you have 10,000 branch offices across the country. Well, if you want to certify all the branch offices it may be, I think, impossible but we can limit the scope for example, like, for a certain branch office or only like headquarters, for example.
Mark
You can scope it down, right? If you have your systems segregated properly, you can scope it down to a certain subset of your systems So, yeah, that's one thing actually, nobody knows that. Not many people know that there are different ways to scope out an ISO certification. If you have different business lines, you can scope it down to one business line. To one department even. That's huge, actually. I never actually thought about that one.
Adi
Yeah. So I think limiting the scope so it makes the effort more simplified, I think, at least more achievable. If the client succeeded to get the ISO, not a lot of people really realize what is the scope, right?
Mark
Just that you have that? They don't ask what parts of your systems are.
Cool. Your ISO certified? Awesome. Yes. Well, it turns out, it's just like an office. I don't know if that's a good thing to say or a bad thing. But it's true.
Yeah. What else? I'm sure you got a couple.
Adi
Okay, some of them? Yeah, I think that's will be enough impact to fly basically, we can lower the effort, we can afford to lower the timeline as well. So we can still see the endgame. Oh, another thing as well, I think about the awareness here. Basically, people are still seeing that ISO itself is the responsibility of only certain personnel or certain departments in the company. Namely, IT security, information security departments. The responsibility is not only for IT security or information security. Responsibility is from the top to the bottom, and all employees.
Mark
Everyone has a part to play. I mean, I hate to get on my soapbox about it, but actually, that's true for all of cybersecurity. Everyone always thinks cybersecurity just belongs to the IT guys, and the IT security guys. But cybersecurity in general, and that's why ISO 27001 is everyone's responsibility because cybersecurity is everybody's responsibility, and that's definitely a big misconception. And I think also people underestimate the collaboration that's involved when you have to implement ISO 27001. We have to talk to the finance team, and they have to do some work. We have to talk to the HR team, and they have to do some work. And you know, everyone's got a part to play. And if you don't get buy-in from everyone in the organization, it's definitely going to slow you down.
Adi
Yeah, and worse, worse, maybe fail.
Mark
Yeah, not to scare anyone but yes, if you have a lack of collaboration, that could lead to bad bad consequences. Those are some big ones. Like is there anything else? I think what I'd like to talk about is people underestimating the effort and the time. A lot of people come to us and they say, yeah, we want to get ISO 27001 certified. We'd like to have it by three weeks from now.
Adi
Yeah, there's that. Yeah, there is like polarization so basically, there is someone who overestimates and there is someone who underestimates.
Mark
On the other end, you have these people that think like, all you have to do is fill out an application and then a certificate in the mail? Yeah, definitely, way more than that. There's a lot of resources involved. There's a lot of process building. It's quite involved. And, especially like, you know, not to toot our horn here, Horangi, we like to take a more practical approach to implement ISO. We like to make sure that the things that we build actually work in real life, they don't just pass the certificate.
So in order to do that, it does take time and it does take a lot of effort. But I would love to just let everyone know that it's worth it -- the time and the effort it's definitely worth it because, even though it's hard to measure, the progress is real, you really are more secure when you do these controls properly.
Maybe you had some thoughts that you wanted to get out there despite my questions. Is there anything you want to tell people about ISO and about the journey, about how to get there?
Adi
My final message is to tell people that start on the journey for ISO 27001 certifications because I think currently the trend is going toward there. The standard and the best practice is quite friendly like for a generic, for a beginner, and I think a lot of countries, at least in Indonesia even the regulator is already adopting the ISO standard itself like for example the Badan Standarisasi National (BSN) the national institution which establishes a national standard in Indonesia I think also Badan Siber dan Sandi Negara (BSSN) our national cybersecurity agency in Indonesia so they kind of like having index (which is) adopted from the ISO itself and a lot of regulation as you're actually starting to mandates the company like electronic system provider, the financial technology, banks. (The regulators include) Menkominfo (Ministry of Communication and Information Technology), BSSN, POJK (Peraturan Otoritas Jasa Keuangan - Financial Service Authority Regulation), and PBI (Peraturan Bank Indonesia - Bank Indonesia Regulation) as well also starting to mandate the implementation of the ISO 27001. So I think it's a good thing that the company should start the journey soon.
Mark
Definitely, I think you're 100% right. I think, even if, if regulations are not adopting ISO 27001, by name, you can see that the controls are all the same. They're there. They're quite the same. And so it's always a good place to start.
Also, another thing that I noticed is, if if you get ISO 27001, almost all other types of regulations, regulatory, or compliance requirements that have to do with information security, they're just a hop, skip, and a jump away, right? So if you get ISO 27001, you've done a majority of the work towards PCI DSS, you've done a majority of the work towards OJKOJK in Indonesia, or PDPA in other countries for data privacy. The controls are almost generally the same. So yeah, you're 100% right. It's definitely worth starting the journey. And even if for just for ISO 27001 itself, it's already worthwhile. So yeah, definitely, I agree with your last point there.
I think if I had to leave anyone with a message, I think, for ISO 27001, this is just a start. I mean, ISO 27001 is not an end state. Yes. Just as security is not an end state. It's an ongoing process. So I would like everyone to just remember, please start on that journey of ISO 27,001. But the finish line is not the finish line. It's really just the first phase.
We have a question here coming in from our producer: So if an organization does not yet have any certifications, is it a good idea to start with ISO 27001? Can certifications be done in tandem?
So I'll let you answer the first question there, Adi. Is it a good idea to start with 27001 if they don't have any certifications at all? Is it a good first step?
Adi
Yeah, I think as I elaborated earlier, I think the message is: one of the benefits of the ISO is as a starting point because it's quite general, it can be implemented for all kinds of like situation and asset class basically. So yeah, I think the data also show that this is being used for jumpstarting the more complex compliance like PCI DSS and GDPR. Yeah, so yeah, I think it's a good idea.
Mark
I think just to echo exactly what you're saying. Number one: if you haven't started your cybersecurity journey yet, we both think you're insane. And you should really start today. If you are going to start your journey, you don't want to do it by jumping into the deep end. ISO 27001 is the shallow end of the pool so it's good to go in gradually that way. So yeah, definitely agree with your points there.
Second, the second part of the question, Adi, I will pose to you can certifications be done in tandem? As doing ISO at the same time as PCI DSS?
Adi
It's quite possible, yeah, if you like, like, you said earlier about the sufficiency of the resources, and timeline and everything. I think I've seen some, but it's because of the condition and situations like, for example, they have a deadline for getting the PCI DSS, but they also have like, an initiative to do the ISO. It's possible, but I think still the best approach in my opinion is one step at a time. Yeah, I've seen these cases.
Mark
As usual, we are on the same page. I think it's completely possible. But I think it's also crazy to do two at a time, because in reality, yes, there is overlap between the two. But in reality, it's hard to plan out the implementation. When you're looking at two things at the same time. You don't have enough time, you don't have enough money, and you don't have enough people. Most times you have just enough money, time, and people to do one. If you added another one that just doubles your effort, so definitely not advisable to do it at the same time.
Adi
Great. I agree.
Mark
Yeah, I agree. I definitely agree with you. It's possible but why would anyone do that, right?
So yeah, that should be our answer. So I did ask you for a final thought on ISO 27001, but we had these other questions so maybe I'll give you one more shot in a final thought
Adi
Yeah, I think this is another misconception as well that ISO 27001 is like the end goal right? Because this is like the starting point, the jumpstart beyond that. It also needs to be renewed once in three years. There is also like a survey or audit in between - the surveillance audit as well, and re-certification after three years. Also, as I said earlier, if you do it in like limited scope it also can be expanded. So let's say that you certified your guest room only, you might want to do your kitchen next year and the master bedroom the year after that.
If you are already certified the IT (department), maybe you want to expand to like finance and everything. So it's a journey. It's not like something big which has an endgame. So it's like a journey, we can take it one step at a time, basically.
Mark
I'll just expound on that. My final thought, as many of my professors in Uni told me, security is not an end game. It's not an end state. It is a process. So that's the last thought Adi and I would like to leave you all with.
Thank you all for tuning in. Once again this has been Ask A CISO podcast from Horangi and this is Mark Fuentes and Adi signing off.
Adi
Bye-bye! Thank you, Mark.
