Information security has taken centre stage in strategic planning for businesses of all sizes, whether you have 30 or 30,000 employees. Larger enterprises have the resources to create governance, risk and compliance (GRC) groups, but for small business owners and startup CEOs, all the responsibility for keeping information safe tends to collect at the top.

As information volumes expand logarithmically, and a host of regulatory bodies revise their requirements with greater regularity, companies have found more and more of their resources are going just to predictive analytics on what could go wrong. Each scenario comes with its own risk and exposure profile, ranging from distracting to devastating. Malicious agents and accidental events can bring down entire networks without warning, so the most proactive IT managers have put together plans and best practices to reduce risks and speed recovery. That's where the ISO 27001 standard come into the picture.

What is ISO 27001?

To address these proliferating threats systematically, the ISO 27001 standard was developed by a committee of subject matter experts representing over 100 countries around the world. ISO facilitated this process over several years. The standard establishes a baseline for an information security management system (ISMS). This was updated in 2013, so it is currently referred to as ISO/ IEC 27001:2013.

Implementation of an ISMS preserves the "confidentiality, integrity and availability" of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

Let's look at each of those three terms individually in the context of this standard.

Confidentiality -- Customers and partners need to have assurance that their private information assets will not be shared inappropriately or left unattended in vulnerable software or physical locations.

Integrity -- This refers to the accuracy and completeness of information. Accounting records maintained in software such as Xero need to have their integrity preserved for tax purposes and general business management so that reports are accurate.

Availability -- Just a bank customer expects access to their own money, companies and individuals should have easy access to the information they share, with the ability to amend, update or delete that information on demand.

Why would a small business need ISO 27001?

Within two years of the introduction of these guidelines, more than 30,000 global businesses of all sizes secured their ISO 27001 certification. It has become even more valuable for small businesses recently as they seek ways to comply with legislation such as the Privacy Act in Australia or the General Data Protection Regulation (GDPR) in the European Union. Certification also makes sense due to all of the information security threats to small businesses, including but not limited to:

Hackers - motivated by challenge, ego, status or money

Computer criminals - motivated by destruction of information, illegal information disclosure, monetary gain or unauthorised alteration

Industrial espionage - motivated by competitive advantage and economic espionage

Insiders - motivated by curiosity, monetary gain

Disgruntled ex-employees - motivated by anger and frustration

The ISO explained that companies are looking for a "systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure."

What risks do small businesses face that ISO 27001 could help with?

Today the biggest threats to private information assets come from phishing, fraud, loss, and ransomware attacks that block managers from being able to access their vital business systems. Accenture's study on the cost of cybercrime found that companies all over the planet lose about $2.4 million per attack on average and they spend 50 days or more trying to recover. Costs have increased by 62 percent over the past 5 years. The study also showed that smaller companies pay 4X more per worker per attack because the costs can't be spread out over a larger field of cost centres.

One of the biggest threats to information security for a small company is the lack of attention to hard copy documents. ISO 27001 standard applies to information security in the real world just as much as protection of digital assets. What often happens is that workers print out documents and leave them in public areas or on their desks where the information is exposed to visitors, contractors and cleaning staff, any of whom could profit from sharing private company information assets without violating any legal agreements.

Another huge risk factor involves removable media. USB sticks, external drives, digital cameras, Wi-Fi transfers and Bluetooth-enabled devices represent a vulnerability for downloading information assets, uploading viruses and access to networks for malicious code. Informal processes will not protect a business from financial losses and legal exposure, but following the ISO 27001 standard can.

What does ISO 27001 address?

This set of standards was designed to assure the confidentiality, integrity and availability of:

• Employee records
• Configurations of technology assets (for restoration)
• Information in internal communications
• Customer information
• Location of your assets, physical and digital
• Project tenders
• Product development plans
• Financial information

The security of this information is required by law in some instances, and the loss of it would expose your company to legal challenges. Data breaches and the loss of customers cost global companies $40 million for every 1 million records lost in 2018 and nearly all of those data were due to criminal or malicious attacks.

Where should you start to comply with ISO 27001?

Even if your organization is not planning on seeking out certification in ISO 27001 standard, you owe it to your customers and other stakeholders to protect their information to the best of your ability.

Best practices recommend you should:

• Purchase an Information Security Management System from ISO Templates.
• Look for the highlighted prompts in the template documents to add company-specific information such as logos, name, addresses and change any requirements that won't be able to be implemented.
• Follow the steps on the implementation plan provided with the Information Security Management System.
• Complete the Inventory of Assets including the valuation of the assets.
• Complete the Statement of Applicability based on the status of the 114 security controls in your business.
• Complete a risk assessment and treatment plan in accordance with the detailed steps in the Risk Management Procedure using the Information Security Risk Register.
• Conduct information security awareness training using the PowerPoint template provided.
• Keep refining and improving your information security as new threats emerge, or move on to a certification audit from a third party to determine how close you are to recognition by the ISO.

On the other side of ISO 27001 compliance

Small businesses can benefit greatly from the authority conferred by ISO certification in information security. Compliance with ISO 27001 through the implementation of an ISMS preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. Once your company is certified or at least compliant with the ISO 27001 standard, you benefit from better communications using secure channels, lower risk exposure, stronger trust from internal/external stakeholders and a substantial competitive advantage over less secure peers in the market.

Internal audit is an objective assurance exercise carried out by independent and trained auditors. The purpose of this exercise is to add value and improve the organizational processes. With the help of an internal audit which is a systematic and disciplined approach to evaluate the effectiveness of the Quality Management System, an organization can achieve the objectives set for its Quality Management System. ISO 9001 provides guidance on how these internal audits can be conducted in a systematic and efficient manner to evaluate if the organization is meeting the requirement of its own quality management system, ISO 9001, customer and regulatory requirements.

Why is it important?

Having Internal Audits helps to find non-conformities and prevent them so that they do not lead to non-conforming products in future. To understand this better let's take an example of a Builder. During an audit on builder operations, the auditor could not locate review records of building design and raised a non-conformity on that. When the management came to know of the issue, they analysed the situation and found that the design review was done without following the complete process. The design records were not in place which raised doubts on how efficiently the review was done. As a correction, the review was done again with the help of proper documents and a number of design faults were found and corrected. Such issues when found on time, can help management take corrective actions so that they do not appear in future. A casual approach to a critical process could have led to many faults in the building design and the organization will bear the cost later when customer complaints start pouring in. A simple lapse in the process can lead to bad product quality and can fetch you a bad reputation.

Establishing an audit program

ISO 9001 requires that an organization establishes an audit program with some key elements included. These are:

Methods: Methods include the techniques that you will use to gather objective audit evidence. These will form the basis of determining non-conformities in the system. Examples of audit methods may include an interview with auditees, review of documents, and observation of activities. Some organizations also develop checklists against their Quality Management Systems and tools to plan and conduct audits.

Frequency: ISO 9001 does not prescribe any frequency for the internal audit. But since this is a mandatory requirement, many companies opt for keeping the frequency just once a year. While this is acceptable from an ISO 9001 compliance point of view, this should not be the criteria for determining the frequency. A more logical frequency that suits the needs of your organization and helps you identify issues at the right time should be criteria for determining the frequency of the audits. This decision should be based on factors such as:

• Importance of the processes;
• Managerial priorities;
• Performance of the processes;
• Changes affecting the organisation
• Results from previous audits
• Trends in customer complaints
• Statutory and regulatory issues.
• Health of the Quality Management system
• Complexity of the products and services delivered
• Organization Size

Responsibilities: An organization needs to define the responsibilities of auditors and auditees. Auditors will conduct audits and report audit findings and auditees will take the corrective action in a timely manner.

Planning requirements: You need to establish how audits will be planned, this may include an annual audit calendar, audit plan or schedule.

Reporting: You need to define the level of reporting of audit findings to the management.

Conducting Audits

Once the audit program is established, the next step is to conduct audits. You need to take the below steps to conduct effective audits in your organization:

Establish audit criteria:

Audit criteria is the criteria against which the audit will be conducted. The auditor may evaluate the current implementation of processes against Quality Management System policy and procedures, ISO 9001 requirements, regulatory or customer requirements, etc. This needs to be established for each audit or whole audit program.

Select Auditor:

While selecting auditors for conducting audits, you should establish the minimum qualification required for internal auditors. Internal auditors need to be trained in the ISO 9001 standard as they also audit for conformity to ISO 9001 requirements. They should also have a good understanding of your quality management system processes and their interaction, customer or regulatory requirements, audit process and techniques established in your audit program.

Another important requirement of the standard is to conduct impartial and objective audits. To ensure this is done, the independence of the auditor is important. The auditor should not be from the same work area or department being audited.

Conduct audits and report findings:

During the audit, auditors should look at objective evidence, interview auditees and review the evidence obtained against the audit criteria established for the audit. In case the auditor finds that the actual process is not implemented appropriately, the auditor should raise a non-conformity in that area. All audit findings should be reported to the auditees/process owners in the formats provided by the organization.

Take correction and corrective actions:

On all the non-conformities raised by the auditor, auditees must take immediate corrections and plan corrective actions. A correction is taken to correct the problem immediately while corrective action is taken on the root cause identified for the non-conformity. Appropriate action taken against these root causes should be tracked to closure and follow-up needs to be done to ensure that the root cause has been eliminated.

Audit Reporting to Management:

Audit results should be reported to appropriate levels of management. The results of each audit and overall annual audit program may be analyzed to determine opportunities of improvement in Quality Management System processes, their interactions, products, Services etc.

Retain evidence of audit:

ISO 9001 requires you to retain records of Audit, these include annual audit calendar, records of audit planning containing audit criteria, Audit scope, methods used, auditor assigned, etc. Other records may include auditor training records, audit checklists, audit notes, nonconformity details, corrective actions, analysis of non-conformities and overall audit program.

Planning is the process of conceptualizing the activities required to achieve a desired goal. It is the first and foremost activity for any new project/task that you want to accomplish. Planning involves thinking about the risks that may occur in future and addressing these through adequate control measures. Clause 6 of ISO 9001 deals with this highly critical activity and requires an organization to take a risk-based approach and plan for the uncertainties pro-actively preventing undesired effects. Another aspect of planning is to identify objectives which can be used to monitor and track our progress. Additionally, this clause requires an organization to plan for changes and follow a structured approach for any changes required in the management system.

Why Is it important?

Risk based thinking is introduced in the new version of ISO 9001 and is included throughout the standard. This shift was done to introduce a pro-active approach to handling risks, rather than taking an approach of preventive actions when the issue has already occurred.

Let us understand why risk-based thinking is important and how it impacts various aspects of our lives. We face risk of traffic or car breakdown when we travel from our house to office. To reduce the effects of the risk, we may plan to leave home 15 minutes early or take a longer route with lesser traffic. Risks may also sometimes present opportunities, risks of running late may give us an opportunity to explore other modes of travel or you may want to look for a job closer to home.

In a business scenario also, risks are equally important. Through a pro-active approach on planning ahead for the risks, we can avoid unforeseen situations, occurrences, events or incidents. This helps in reduction or mitigation of our liabilities and improve the product or service delivery. This in turn, helps in managing reputation and helps in business growth.

Defining Quality Objectives is an important step for any organization to control its processes and helps bring-in continual improvement in their systems. Quality Objectives gives you important insights on how you are progressing and drives you to create plans to meet the objectives. This is a good way to identify opportunities and pave a way for growth of your organization.

Moreover, any continual improvement or corrective action may need change which should be handled in a formal manner to avoid any unforeseen consequences of the change.

Actions to address risks and opportunities

This clause of ISO 9001 requires an organization to consider the contextual issues and requirements of the interested parties and determine the risks and opportunities. In our Article on Clause 4, SWOT analysis was used to determine the internal and external context followed by a stakeholder’s analysis to determine their requirements. Risks and opportunities are identified from these issues or through non-conformities that are identified in the course of your operations. The identified risks may be at the strategic levels or operational levels. Some examples of risks that an organization may face are given below:

Strategic Risk

• Competition high in our area of operation
• Reputation at stake if a complex/large project is not successful

Operational risk

• Risk of defective delivery
• Risk of schedule slippage due to unclear requirements

Once all risks are identified, the next step is the address these risks and opportunities. A risk which is operational in nature may be handled by a manager who owns the area/function while ownership of strategic risks is with the top management.

Once you have identified all operational and strategic risks, the next step is to plan actions to either reduce the likelihood of its occurrence (called mitigation) and/or reduce the severity or impact of the risk (called contingency). For a small organization or where the complexity of work is less, this could just mean planning mitigation actions and ensuring timely closure of all such actions.

Companies may opt for a detailed risk evaluation. This is done by defining a risk methodology to manage all kinds of risks. This methodology involves assessing the risk, giving it a score or a rating and then comparing it against an acceptance level. Based on the acceptance levels, adequate response to the risk is planned. Risk matrices (Sample given in Figure below) based on probability and impact are used to give a rating to the risk. A risk lying in the green zone may be acceptable whereas amber and red need additional controls and shall be prioritized for closure.

Once control action on risks is taken, the effectiveness of these actions shall be evaluated to ensure that the control measures were effective. Monitoring of risk should be carried out on a regular basis or on events like changes in staff, process or equipment.

Quality Objectives and Planning to Achieve Them

The next stage of Planning is to set quality objectives for various levels/functions in the organization. The quality objectives shall be consistent with the quality policy and shall be relevant to the conformity of products/ services, and the enhancement of customer satisfaction.

The quality objectives must be defined in a way that they are measurable and consideration shall be given to the applicable customer and statutory and regulatory requirements.

A simple method of establishing these quality objectives is using the S.M.A.R.T. methodology. What SMART specifies is that each objective shall be defined in a way that it is:

• Specific - The objectives are written in a way it is interpreted in same way by anyone who reads it
• Measurable – This means that the objective should be quantitative so that it can be compared against a goal and its achievement assessed. Terms such as amount, percentages, etc shall be used to define these objectives.
• Achievable- An objective which is planned but capturing its data is difficult or there are no mechanisms/resources to achieve the results makes an objective useless. So, adequate resources/mechanisms should be available to achieve the objective.
• Relevant –The objective shall be relevant to organization’s context and it shall provide an insight if the customer / statutory and regulatory requirements are being met or not.
• Time-Oriented- The objective should be time-bound so that its achievement can be evaluated within a fixed time-frame.

Some examples of quality objectives are given below:

• Product – Reduction in defective product by 2% within a year
• Customers –Improvement in customer satisfaction scores by 4% by end of 2020
• For the QMS –Number of improvement opportunities in a quarter, etc

The quality Objectives shall be defined by the top management and once these are finalized, the organization shall:

• Document these Quality objectives in your quality manual/ procedures/ quality plans or any other relevant place.
• Communicate the quality objectives to the employees, as required. This may be done through training or in meetings.
• Deploy these quality measurements in the organization. You may plan to capture the data manually or use tools to gather the data required. Also, plan for mechanisms to report these quality objectives.
• Ensure these are measured across the organization. Monitor the achievement of the quality objectives using dashboards or simply by reporting these at fixed time intervals
• Review the achievement of objectives with the top management. This can be done in management review meetings. Based on the achievement of the quality objectives, the goals may be updated, as appropriate
• Plan actions when the actual results do not meet the goals. This gives you an opportunity to identify continual improvement initiatives.

Planning of Changes

When the organization determines there is a need to change the QMS, this clause of ISO 9001:2015 requires such change to be carried out in a controlled manner. A defined change management process is a good way of addressing this clause. A structured approach ensures that the person requesting the change consider a number of items such as who will be impacted, the resources required, etc. This ensures that change approver/manager makes a good decision and manages the change properly.

The steps required to plan a change are:

• Identify the change required and define the details of the change
• Assess the need of change considering
  • the purpose of the changes and potential consequences
  • the availability of resources
  • the allocation or reallocation of responsibilities and authorities.
  • whether the integrity of QMS could be compromised as a result of making the change
• Get an approval from top management/ change approver for change implementation
• Create a plan and identify tasks, resources and responsibilities, timelines, etc. to carry out the change
• Create a communication plan and identify all the internal and external stakeholders that are impacted and need to be informed of the change
• Get review of the changes done by top management/change approver after changes are done.
• Conduct Training for people affected by the change
• Monitor the change to evaluate its effectiveness