5 Frequently Asked Questions and Answers About ISO 27001 Implementation

5 Frequently Asked Questions and Answers About ISO 27001 Implementation

5 Frequently Asked Questions and Answers About ISO 27001 Implementation
Comments

Written by

security island
Are you considering certifying your organization to an ISO standard? In this article, Maurice Pasman of Instant 27001 and Ivar van Duuren of ISOPlanner answer the most frequently asked questions about ISO certification.

1. Who are responsible for implementing ISO 27001?

The standard states that the management of an organization has primary responsibility in the information security of the organization. On the one hand, this means making budget available and setting a good example. But in principle, it also means that the management should designate one or more employees within the organization to be given responsibility for implementing the standard.

The most commonly used role is that of Information Security Officer (CISO). This person is often given primary responsibility for implementing the Information Security Management System (ISMS). This is not the person who has to do everything, but who is given responsibility from management. And the ability to actually involve other people and take up their time.

There are also other people involved in the implementation. Think, for example, of someone from HR who looks at whether the responsibilities, rights and obligations are also well defined in the contracts. Also, people from software development are ideally involved to see if best practices in secure development have already been implemented.

And, for example, a software engineer who is involved to see if the setup of the cloud environment is going well. So in addition to the role of Security Officer, other people within the organization are also involved in ISO implementation.

2. Can you implement ISO 27001 and NEN 7510 together?

Many customers ask us if it is convenient or possible to certify the organization for ISO 27001 and NEN 7510 at the same time. This is indeed very convenient to do. If only because the overlap of the Information Security Management System (ISMS) is 100%.

Not familiar with NEN 7510? This is a Dutch-language standard in the field of information security, specifically for application within healthcare. And it is also a standard that has a legal obligation. So healthcare providers within the Netherlands are required by law to implement NEN 7510. Incidentally, this should not be confused with NEN 7510 certification, because that is not mandatory. Nevertheless, you see that many parties in healthcare and their service providers often proceed to certification, because that is the crowning glory of their work.

3. Can you substitute or ignore ISO measures?

If you look at the list of control measures from the Annex A of the ISO 27001 or NEN 7510 standard and you don’t support the measures, are you allowed to choose other measures? For example, because you want to come up with them yourself or because you want to use a different set of measures? The short answer is: yes, you may.

The ISO standard provides measure suggestions in Annex A that you can use as a checklist. To make sure you don’t forget anything. However, the measures you ultimately choose may come from anywhere. And if at some point you think: I need an additional measure, it would be weird if you didn’t take that measure.

If you continue along that line, then you can also decide that you don’t think the whole list of measures from Annex A is appropriate for your organization. And that you use a different set of example measures, for example from another ISO standard such as the 27017 or 27018.

The standard also wants you to prepare a Statement of Applicability. In that Statement of Applicability you indicate what measures you have taken, but you must also indicate what you have done with the measures from Annex A. And when you decide to completely ignore the measures from Annex A and apply, for example, the measures from the SIS controls, then you state in your Statement of Applicability which measures from the SIS controls you are using.

4. Is ISO 27001 also suitable for small businesses?

Many people think that ISO 27001 or ISO 9001 is suitable only for very large organizations. But the standard is written in a way that doesn’t actually make that distinction.

In fact, if you read the standard carefully, it sets requirements, for example, for the documentation that an organization must have. It explicitly states that the amount and manner in which that documentation is maintained must be appropriate to the organization.

That explicitly leaves open the possibility for a very small organization to also implement the management system. Be it without a huge pile of documentation. But with just some smaller policy documents, some simpler processes. That makes the standard perfectly applicable for a small organization.

5. How long must an organization exist for certification?

How long an organization must exist for ISO certification is a very interesting question. It has to do with the fact that during an audit you want to give the auditor the feeling that the processes you show and the policies you have written have been alive and well within your organization for a certain period of time.

So an organization that has just been in existence for two weeks and whose management system was also written two weeks ago, won’t give the average auditor the warm feeling that this is a well-rooted system.

If you look at what the standard says about it, there are no hard timelines in there. The standard only says that a management system qualifies for certification if it can be shown that all components have been implemented at least once (Chapter 4 through Chapter 10).

If all components of the Plan-Do-Check-Act cycle have been demonstrably implemented at least once, then you can certify the management system. In practice, we find that most consultants and audit firms do apply a minimum period of 3 months for this. But that does not come from the standard.

Failures in ISO certification

In practice, we still see many situations where processes run across multiple systems and involve multiple people. There is no proper transfer from one system to another. And what can go wrong is that things are simply forgotten.

So someone does enter an employee into the HR system, but forgets to inform another person that a ticket is needed to grant certain rights to that new employee.

Then the result is not what it should be, requiring remedial work afterwards. And the organization is shaken up wondering why something is not working and what went wrong.

What does an ideal compliance process look like?

In an ideal world, a new employee enters the organization or there is a new supplier. Where the process begins the moment that new employee or supplier is entered into the first system.

And where all subsequent steps resulting from that one process flow automatically from one system to another. Where each time the employees who need to do something are triggered at the place where they work. For example, with a Teams Notification, that something is ready for them to do. And if a step is skipped, the person concerned automatically receives a notification or reminder to still do the work.

In the ideal world, the result is also recorded in a central location in a system that everyone is already working with.

Set up compliance automation workflows in 3 steps

Want to automate compliance within your organization? How do you set up those compliance automation workflows and how do you properly maintain those processes? First, it is important that you make sure you have one system where you record the result of all those automated processes.

Second, it is good to identify which processes you want to automate. And when you have an idea of that, start quietly with one process. A process that perhaps now takes the most work in the organization. Or where perhaps the most mistakes are made. Or where you as an organization suffer the most mistakes. And then you start by automating that first process. Then you grab the next process and that’s how you slowly build on.

Finally, it is important to see which systems touch the processes. Which systems are involved in the various workflows? And what possibilities do those systems offer to link and collect information in a central system, allowing you to keep an overview of all the processes?

More tips on ISO certification?
Feel free to contact us. We’d like to help you out!

About Maurice Pasman of Instant 27001

Maurice Pasman is founder of Instant 27001, which helps organizations implement ISO 27001 efficiently by using sample documentation and templates. Since its launch in 2018, Instant 27001 already helped more than 1,500 organizations (in the Netherlands and abroad) optimize their information security, prevent data breaches and improve their competitive position.

About Ivar van Duuren

Ivar van Duuren is a co-founder of ISOPlanner. He’s had experience with the fragmented ISO certification approach with separate documents and the pressure to do it within a certain deadline.

A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.

Related Articles

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you're getting...

Compliance automation: challenges, practical tips, and KPIs

Compliance automation: challenges, practical tips, and KPIs

In our daily practice, we’ve noticed that companies often work across multiple systems to meet certain compliance standards. For example, consider entering a new employee into an HR system. Often, it starts with one HR system, after which the HR person asks another...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification
Comments

Written by

security island
What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains.

ISO 27001 certification in a nutshell

To give you an overview of the whole process, here I briefly explain the main steps you need to take. The first step to start with ISO certification is to look at the context of your organization. Which parties are involved with you as an organization? Think about employees, shareholders, clients, suppliers, and other parties like that. And what do those parties expect from you when it comes to information security?

The next step is to determine the risks. What risks do you see as an organization when it comes to information security? And then you usually start formulating a policy: you choose the measures you are going to use to mitigate those risks and how you want to implement them in your organization. And finally, you make sure that you periodically check whether you still comply with this policy.

What help do you need with ISO 27001 certification?

You may wonder if you need help implementing the ISO 27001 standard or if you and your colleagues can do it yourselves. This depends on a few things.

First, it depends on how much experience you already have within the organization with implementing ISO standards. If you don’t have any, then it might be nice to bring in an external consultant to help you with the implementation.

This also helps maintain progress. Implementing ISO 27001 may not always be the highest priority among the various departments involved. There are always things that take priority: customers who need help, and projects that need attention. Bringing in a consultant can help you keep pace with implementation.

In addition, your need for help also depends on your decision to purchase a sample documentation package, for example. Such a package already provides a lot of information and sample documents that you need during implementation. It also provides a lot of structure that will help you implement ISO 27001 independently in your organization.

Internal stakeholders in ISO 27001 implementation

So who within your organization should you involve in the implementation of ISO 27001?

First, your management must be involved. This is an important requirement of the ISO 27001 standard. Management must have an active role in controlling information security in the context of ISO 27001.

In addition, more roles within your organization are relevant to information security. Very often we see an IT manager involved, from the technical aspects of information security. In addition, we also often see an HR manager. Who has to control who enters the organization as an employee. So for such “in and out” processes, that HR manager is important.

And finally, there are often people involved who do executive work, such as making backups and setting them up. These are also people you want to involve in this project.

Required services with ISO 27001 certification

What external services do you need with an ISO 27001 certification? What you need in any case is an external auditor. This is a party that checks whether you as an organization ultimately meet the requirements of ISO 27001.

From the ISO 27001 standard, another mandatory part is an internal audit. ‘Internal’ sounds a bit confusing, because it seems to imply that you can pick up this part internally. In principle, you can, but you need internal people who have the competencies to perform internal audits. And who therefore have experience in doing so.

However, many organizations that start with ISO 27001 certification do not yet have that experience. So many organizations have an internal audit performed by an external auditor. This is not the same party that performs the real external audit. But in most cases, this is an external consultant who helps you implement ISO 27001 and who also takes on the internal audit.

Finally, one of the measures in the ISO 27001 standard requires an external check on the technical security of your own developed applications. Many organizations commission a pen test for this purpose. If that applies to you, you will of course need a specialist party for that as well.

Are all ISO 27001 measures mandatory?

Many organizations wonder which ISO 27001 measures are mandatory to implement. The standard contains an annex, Annex A, with many measures that you can implement. These measures aim to reduce your security risks.

Yet these measures are not mandatory, they are mere suggestions. The standard says that you must identify risks and take measures to control those risks. But you are not obliged to implement those suggested measures.

However, it is mandatory to indicate why you are implementing all these measures. For example, based on risks you see. Also, if you do not implement a measure, you indicate your reasoning. You are also free to create your own measures if you find them more appropriate to manage your identified risks.

How does an ISO 27001 certification audit work?

An external auditor checks whether your organization meets all the requirements of the ISO 27001 standard set. This is a certifying organization whose purpose is to verify that you meet all the requirements. This is done during the certification audit, which consists of two parts.

The first phase consists largely of checking the documentation in place. The auditor checks whether your organization has all the mandatory documents you must have for ISO 27001. And also whether you have started your improvement cycle where necessary.

In practice, he or she assesses whether you have a working process, or an information security management system (ISMS). Which involves the following questions:

  • Do you have an overview of all your organization’s stakeholders?
  • Have you inventoried all the risks?
  • Have you taken measures to control those risks?
  • Have you written out policies to do so?

In the second phase of the certification audit, the auditor not only looks at documentation and the policies that have been written. Now the auditor also checks whether you are complying with the established policy.

Also read: Expert Tips On ISO 27001 Implementation

About Ivar van Duuren

Ivar van Duuren is a co-founder of ISOPlanner. He’s had experience with the fragmented ISO certification approach with separate documents and the pressure to do it within a certain deadline.

A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.

More tips on compliance automation?

Feel free to contact us. We would love to talk to you!

Related Articles

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you're getting...

Compliance automation: challenges, practical tips, and KPIs

Compliance automation: challenges, practical tips, and KPIs

In our daily practice, we’ve noticed that companies often work across multiple systems to meet certain compliance standards. For example, consider entering a new employee into an HR system. Often, it starts with one HR system, after which the HR person asks another...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation
Comments

Written by

security island

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you’re getting into and can make this project a success!

The 3 benefits of ISO 27001 certification

The main advantage of obtaining an ISO 27001 certification is that you have the certificate. That means that you can demonstrate, for example to new customers who find it important that you as a supplier handle their data well, that you handle information security well. It may help that you no longer have to fill out an extensive information security checklist with new customers. But you can suffice by showing your certificate.

Certification can also make international business easier because ISO is an international organization. And ISO 27001 is an internationally recognized certificate. If you also want to do business across borders, having the certificate makes this a lot easier.

And, perhaps the most important benefit: implementing ISO 27001 makes you take information security much more seriously. No matter how well you are already doing as an organization, you will find that by implementing ISO 27001, the level of information security gets a whole lot better.

Also read: Benefits of ISO 27001 for cloud service companies

How long does it take to get ISO 27001 certified?

How long does it take to become ISO 27001 certified? That can vary quite a bit. Many organizations take at least a year. Other organizations opt to put all the available manpower into the project. And they do it in six months. 

If you use an application that also provides you with the documentation you need for ISO 27001, it can be as quick as within three months.

Read also: ISO 27001 Step-By-Step Guide

What are the costs of an ISO 27001 certification process?

For an ISO 27001 certification process, you need several things. One of the things you need in any case is a certification audit. An auditor checks whether your organization meets the requirements of ISO 27001.

Those costs depend very much on the size of your organization. And also on how many branches your organization has. But for a small organization, you can count on €15,000 in three years.

Read also: What does an ISO certification auditor do?

Next, you may opt to hire a consultant to help you implement ISO 27001. Again, these costs can vary considerably. But as a starting point, you can figure around €10,000.

Finally, you may want to use software to help you structure your processes. The cost of this is generally limited. You can get good management software for as little as €1,500 a year.

And additionally, you could choose to purchase a package of documentation for between €2,000 – €4,000. With this, you get a lot of documentation that you need. This helps you cut your consultants’ fees.

Also read: Tips on asset risk management through ISO 27001

What is an ISMS?

ISMS stands for Information Security Management System. It’s the set of documentation, tasks, and things that you record to fulfill the requirements of ISO 27001. So ISMS is not necessarily software, it’s not necessarily a particular application.

It can be, for example, a combination of documents and tasks scattered throughout your system. But all of that together actually constitutes your ISMS.

You can also choose to use software for your ISMS. That has the advantage of bringing all the elements together. And so you have an overview of your information security management system in one place.

Also read: What are the benefits of ISMS software?

Challenges with ISO 27001 implementation

What do organizations encounter most when implementing ISO 27001? One is maintaining progress on the project. A project can take quite a while, approximately between 3-12 months. So you have to make sure that you stay involved during that time and that progress is maintained. 

The second thing that can be challenging when implementing ISO 27001, is involving all your employees who have a role in this. Make sure they get the information they need and do what they need to do.

Finally, once you’ve achieved ISO 27001 certification, it can be a challenge to keep up with the measures after that. You have to check that policies are being followed. And whether things are set up as you agreed. 

Is it mandatory to implement all ISO 27001 measures?

Are the measures included in ISO 27001 mandatory to implement? The short answer is: no.

You are obliged by the ISO 27001 norm, to take inventory of the risks your organization contains regarding information security. And then take measures to mitigate those risks. In doing so, you can take suggestions from the list of measures included in ISO 27001 to assess whether or not you can use them.

You are also obliged to state why you’re implementing the specific measure from that list. For example, because you spot a risk, or because it’s some kind of best practice. Also, for each measure that you don’t implement, you are required to indicate why you don’t implement it.

So in theory, you can choose not to implement all those measures. And put together your own set of measures and implement just those. All with good explanation and justification.

What are the benefits of using sample documentation?

What are the advantages of using sample documentation when implementing ISO 27001? The first advantage is that you save a lot of time. All the documents that you need for ISO 27001 are provided to you so you don’t have to write them yourself.

You also get a structure. Your documentation won’t consist of just a list of documents. It will be delivered in a structure so you’ll know which risks belong to which measures. And which policies belong to which measures. So everything related will be already linked together. This provides you with a tremendous overview.

The third advantage is you won’t just save time and be provided with an overview, but you also have peace of mind. Because you have an example that you know is already OK. And you’ll know when you implement the measure, that it will be enough. And you’ll never have to wonder again, “Is this enough?”.

About Ivar van Duuren

Ivar van Duuren is a co-founder of ISOPlanner. At previous jobs, he experienced the fragmented ISO certification approach with loose documents and the pressure to do it within a certain deadline.

A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.

More tips about ISO 27001 certification?

Feel free to contact us. We would love to think with you!

Related Articles

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you're getting...

Compliance automation: challenges, practical tips, and KPIs

Compliance automation: challenges, practical tips, and KPIs

In our daily practice, we’ve noticed that companies often work across multiple systems to meet certain compliance standards. For example, consider entering a new employee into an HR system. Often, it starts with one HR system, after which the HR person asks another...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights

Compliance automation: challenges, practical tips, and KPIs

Compliance automation: challenges, practical tips, and KPIs

Compliance automation: challenges, practical tips, and KPIs
Comments

Written by

security island

In our daily practice, we’ve noticed that companies often work across multiple systems to meet certain compliance standards. For example, consider entering a new employee into an HR system.

Often, it starts with one HR system, after which the HR person asks another colleague by email to create a ticket. After that, another person requests access to certain business applications in the IT ticket system. And many things are still maintained in Excel or other working documents.

Error-prone situation resulting in corrective measures

This situation is error-prone because processes span multiple systems involving multiple people. The chance of someone forgetting something is greater, so the result is not always what it should be.

As a result, subsequent remedial work is required and the organization is startled by things that don’t work. When entering a new employee, this can be overseen. But when it comes to information security and the risk of incidents, it is a different story.

The ideal world: automatic triggers and to-do’s

In an ideal world, every process starts at a certain defined place. For example, that new employee or supplier entering the organization. Then, all successive steps flow automatically from one system to another. 

Each time an employee needs to do something, he or she is triggered by a certain system he or she already uses. For example, with an MS Teams Notification. In the ideal world, the result is also recorded there. And if someone forgets something, a trigger is created for that person.

What are the benefits of compliance automation for organizations?

When organizations automate their processes like this, they save time. Employees spend less time emailing back and forth and checking things. Instead, there is a smooth flow, where the right person is asked to participate in the process at the right time. As a result, you’ll notice a rise in the quality of the process.

For example, if a new employee joins the company, you’ll notice that this process will be completed quicker when automated. All the rights are set up correctly in an effective way. This way, employees can focus on what’s important, which is getting access to the right resources. And all this is recorded in a place where you have a good overview of the result.

This is what we call compliance automation.

Typical challenges with compliance automation

When your organization starts with compliance automation, you’ll have to have an overview of the processes you want to automate. It takes some work to map that out properly. 

It helps to have a system that keeps track of the outcome of all those automated processes. For example, if you want to comply with a standard for information security. You also have to deal with an auditor who visits once a year to assess whether everything is going well. And of course, you want to have an overview yourself.

You’ll also have to figure out how to link all the systems you work with and how to create a smooth flow. That also means you have to have the internal or external capacity to properly automate those processes.

In short, it is very important to have one system that links with all your other systems and automated processes.

How to stay up-to-date with the standard?

Of course, it’s one thing to implement a standard. Then you have a process of maybe three months to a year, where you’re busy shaping the policy and implementing all the requirements the standard places on you.

The real work comes after because by then you’ll have to keep track. You’ve created policies, but how do you know that the policies are being implemented?

So you must have a system where you can record all actions, including repetitive actions. And where you make sure that those actions also end up with the right employees in a place where they already work. So that they don’t have to log into yet another system whose password they lose. For example when tasks end up in their Microsoft Outlook, so they can handle them quickly and conveniently.

This way, you make it easier to stay up-to-date with everything that this standard requires of your organization and employees.

How do you measure the success of compliance automation initiatives?

You can measure the success of compliance automation by assessing how much time an employee saves with the automated process. Before you start compliance automation, map out how many FTEs are engaged in the process. And afterward, you check: how much extra time do employees have now that the process is automated and no longer carried out manually?

Or assess the turnaround time of certain processes. For example, that new employee joining the company. How long does that whole process take now, from entering personal data to having the Certificate of Good Conduct (VOG) in and having access to certain company systems? After automating the process, you can see how much shorter the turnaround time has become.  

A third measure or Key Performance Indicator (KPI) is the quality of the process or the error rate. How often did things go wrong in the past and how often was a corrective action needed? Or were things forgotten that were needed for that particular process?

Also measure your success by goals, for example in the area of information security. Think of reducing the number of incidents as a KPI.

Overview and sample documentation

ISOPlanner was initially set up as an application to keep a good overview of all the policies and tasks involved in maintaining an ISO standard. However, after several successful implementations, we noticed that our customers also needed documentation for the specific ISO norm. For example, if they start with the ISO 27001 standard.

For this purpose, we partnered with Instant27001, which allows our customers to activate that entire package of documentation within ISOPlanner. This gives them a filled management system at once, including all the policies and processes they need. This also saves them a lot of time.

Case study: municipality and the BIO standard

One example of this collaboration was for a municipality in North Holland that wanted to comply with the BIO standard, an information security standard specifically for governments.

Working with ISOPlanner and Instant27001 gave them access to lots of templates for BIO policies and processes. They no longer had to create these themselves. The templates were loaded into the ISOPlanner system and, based on the documentation, they could very quickly start implementing the compliance standards. They also got a very good overview of all required activities and the status of implementation. In short, this overview and documentation saved them a lot of work and made them more efficient.

About Ivar van Duuren

Ivar van Duuren is a co-founder of ISOPlanner. At previous jobs, he experienced the fragmented ISO certification approach with loose documents and the pressure to do it within a certain deadline.

A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.

More tips about compliance automation?

Feel free to contact us. We would love to think with you!

Related Articles

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you're getting...

Compliance automation: challenges, practical tips, and KPIs

Compliance automation: challenges, practical tips, and KPIs

In our daily practice, we’ve noticed that companies often work across multiple systems to meet certain compliance standards. For example, consider entering a new employee into an HR system. Often, it starts with one HR system, after which the HR person asks another...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights

Compliance automation: is your organization ready?

Compliance automation: is your organization ready?

Compliance automation: is your organization ready?
Comments

Written by

security island

What exactly is compliance automation? Why is it important for businesses? And what are the actual benefits of it?

What is compliance automation?

Compliance is about complying with policies you’ve created yourself. Or perhaps to requirements that external parties put on you. It can also be an information security framework you want to comply with.

Automation is about automating those processes by which you ensure compliance with those policies.

The importance of compliance automation for businesses

Compliance automation is important for companies because the requirements are increasing. Both externally, and internally, companies find it increasingly important that information within a company is properly secured.

To this end, companies draw up policies that must be complied with. And all those spot checks to check whether your policy is being complied with are taking more and more time. And it’s becoming more error-prone.

So compliance automation is important to make sure that compliance with laws and regulations remains manageable and that its quality remains good as well.

The key benefits of compliance automation

The main benefit of compliance automation is, first and foremost, saving time. There are processes you can automate that are otherwise performed by humans. Especially if these are processes that take place more frequently and periodically. Then you can save a lot of time by automating those.

Another important benefit of compliance automation is that it increases the quality of compliance. If you have people doing checks, the chances of errors are fairly high. People may be distracted or have other work they’re busy with. So there’s a chance of the check not being done. There’s also a chance that the check won’t be done completely.

Compliance automation solves this by automatic and periodic checks.

How does compliance automation improve efficiency?

Compliance automation also improves efficiency because you always execute processes the same way. So no errors occur. This way you also always have the same result.

Another way compliance automation improves efficiency is because you can do checks much more frequently. For example, you might have someone do a check every quarter because it fits into that person’s work schedule.

But if you automate a process like that, you might as well do the check daily. That way you also find out much faster if policies are not being followed.

Here are three standard situations that can be improved very well with compliance automation.

1. Compliance automation: new suppliers

An example of a compliance process you can automate well is the recruitment of new suppliers. When there’s a new supplier, all kinds of checks have to be done. To automate that, the moment a supplier is added to your ERP system, you can have something triggered in our application ISOPlanner.

For example, someone gets notified and checks whether the supplier itself has an ISO certificate, or stores data in the right location.

You can automatically trigger such a task for a certain person. Ideally, you use communication channels such as a Teams notification for a trigger. This way you can be sure that the check is carried out. Because if it doesn’t, that triggers another notification to another person.

2. Compliance automation: onboarding new employees

Another example of a process that you can automate well is the onboarding of new employees. For every new employee who enters the organization, you need to do several things. Consider a background check, requesting a Certificate of Good Conduct, or creating certain accounts.

The moment you create a new employee in the system, you can add a trigger that causes a colleague to perform several checks. Who then records the result in a file to show that you have completed the check.

3. Compliance automation: customer satisfaction

Requesting customer satisfaction is another process that you can automate well. For example, if you send your customers surveys asking how satisfied they are with your services, then you store that information in ISOPlanner. This gives you insight into the scores your customers give you over a more extended period.

In addition, it is relatively easy to set a trigger if the value drops below a certain average so that you can take action to increase that satisfaction.

Is your organization ready for compliance automation?

Ever wonder if your organization is ready for compliance automation? Then take a look at how much time it currently takes you to ensure compliance with a particular policy. How much time are employees spending on all those checks they have to perform periodically?

If you discover that this requires a significant time investment, then the conclusion is that you are ready to automate such processes. And thus gain time benefits from this.

Another indication is if you notice that employees should be doing checks, but in practice this does not happen. Or it happens too little or not completely. That’s also a good reason to start with process automation.

Tips for getting started with compliance automation

Are you getting started with compliance automation? Then keep in mind that your organization has the systems in place to automate.

Often, you’ll want a system where you record the results of all those checks you do. Think of a system like ISOPlanner, for example. With that, you retrieve all the relevant information and record it in files. The big advantage? This way you can also show an auditor the result of all those automated processes.

Of course, you also need the people and capacity to automate those processes. This is a different kind of work than compliance itself. You need internal or external people to set up these automated processes.

It is advisable to start by checking which processes are now done manually. Where do people check – periodically or more frequently – whether something is being complied with? Consider the example of onboarding a new employee who goes through several stages. Which checks take place manually?

In addition, you need to know which of those steps interact with which systems. And how you connect those systems.

Also read: Compliance automation: challenges, practical tips, and KPIs

Conclusion

In short, compliance automation is essential for companies that want to comply with (changing) laws and regulations efficiently. Because internal and external information security requirements are becoming increasingly complex. The main benefits of compliance automation are time savings and improved quality of compliance.

Whether your organization is ready for compliance automation depends on the amount of time currently spent on compliance audits and whether there is room for improvement. A good approach is to start by identifying processes that are now performed manually and mapping which systems are involved.

About Ivar van Duuren

Ivar van Duuren is co-founder of ISOPlanner. He’s had experience with the fragmented ISO certification approach with separate documents and the pressure to do it within a certain deadline.

A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.

More tips about compliance automation?

Feel free to contact us. We would love to think with you!

Related Articles

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you're getting...

Compliance automation: challenges, practical tips, and KPIs

Compliance automation: challenges, practical tips, and KPIs

In our daily practice, we’ve noticed that companies often work across multiple systems to meet certain compliance standards. For example, consider entering a new employee into an HR system. Often, it starts with one HR system, after which the HR person asks another...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights

7 Tips for creating an authorization matrix

7 Tips for creating an authorization matrix

7 Tips for creating an authorization matrix
Comments

Written by

security island
An authorization matrix is an important tool within organizations to manage access rights to systems and sensitive data. It provides insight into who has what rights and ensures that only authorized individuals have access to relevant information.

In this article, we share tips for creating an effective authorization matrix as part of the company’s information security policy.

What is an authorization matrix?

An authorization matrix is a document that links the various roles and responsibilities within an organization to specific access rights. It provides a structured overview of who may perform what actions and what data he or she may access or share.

The importance of an authorization matrix

Having a well-thought-out authorization matrix has several benefits:

1. Information security

By allowing only the right people to access specific information, an authorization matrix minimizes the risk of inadvertent or malicious access to sensitive data.

2. Compliant with regulations

An authorization matrix helps your entire organization to comply with laws and regulations, such as the General Data Protection Regulation (AVG). It ensures that only authorized individuals have access to personal data.

3. Efficiency in work processes

By clearly defining who is allowed to perform which tasks, you streamline the processes within your organization. This increases efficiency.

4. Transparency of responsibilities

An authorization matrix provides transparency within an organization. Everyone knows what rights and responsibilities belong to each role, leading to better collaboration and communication.

7 Tips for creating an authorization matrix

Here are 7 tips for creating an effective authorization matrix:

1. Analyze the roles within the organization

Identify all functions and roles within the organization that require access rights. Consider department heads, team leaders, employees with specific tasks, and any external parties.

2. Link specific tasks to each role

Determine which tasks and actions belong to each role. Use input from the relevant employees to get as accurate a picture as possible.

3. Define the access rights needed

For each role, identify the data and systems required to perform the function. Document these access rights accurately, including any restrictions or exceptions.

4. Establish responsibilities

Clearly describe who is responsible for maintaining and updating the authorization matrix. For example, this could be a specific department or person.

5. Involve all stakeholders

Ensure that all relevant parties are involved in creating the authorization matrix. Think of IT staff, HR staff, and executives. This way you will create support for its content and you won’t overlook important input.

6. Take into account changes in roles and functions

Organizations are dynamic and roles can change. Make sure the authorization matrix is flexible enough to accommodate changes quickly without compromising security and compliance.

7. Evaluate regularly

Schedule regular review moments to verify that the authorization matrix is still current and meets the needs of your organization. Adjust it as needed.

Conclusion

By following the above tips, you can create a solid authorization matrix that ensures secure, efficient, and transparent data access control within your organization.

Having an up-to-date authorization matrix is part of ISO 27001 – 2022 certification. This certification provides a solid framework for complying with all laws and regulations and taking data protection to the next level.

Need help implementing ISO 27001 certification?

Need help taking steps to comply with ISO 27001 certification? ISOPlanner prevents financial and reputational damage by providing an approachable way to help organizations comply with increasingly complex laws and regulations. Start a free trial of our software or contact us, we are happy to help!

Related Articles

How to successfully start with ISO 27001 certification

How to successfully start with ISO 27001 certification

What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...

Expert Tips On ISO 27001 Implementation

Expert Tips On ISO 27001 Implementation

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you're getting...

Compliance automation: challenges, practical tips, and KPIs

Compliance automation: challenges, practical tips, and KPIs

In our daily practice, we’ve noticed that companies often work across multiple systems to meet certain compliance standards. For example, consider entering a new employee into an HR system. Often, it starts with one HR system, after which the HR person asks another...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights