“ISOOOO thought that was finished months ago” or “ISOOOO don’t have time for that”
This used to be the general reaction when I would tell people that I need their help in managing our ISO27001 processes and procedures ready for an audit.
Now that’s all changed. It might not be cutting-edge DevOps engineering techniques or the latest fancy application, but I’ve spent the last 7 months changing people’s minds about ISO 27001, showing them how important it is to us as a company and how we have made it part of daily life. It’s also become a big part of me, my development and the role that I play as part of the wider team.
A few weeks ago, a member of a team at a customer site (who we will call Paul*) asked me if I would help him with the ISO related world upon hearing that I head up the ISO Certification sustainability at DevOpsGuys. This is completely non-related to the activities we are currently doing with them and not normally something I would do. I could see the look of unease on his face as he has been dropped into a role he knows nothing about. He’d been given a standard and told to read it. There is nothing worse! He said that after a few attempts he gave up, he was just lost, as it was too dry to read. The excitement of being given an opportunity to shine while doing something new had died 1-week in. This made me think back to when I first took this on and how hard it was.
You google ISO and I’ll be honest most of the information that comes up is very dry. Whether it be ISO27001 (that we are certified in) or any other ISO standard its always the same thing; basic regulation information, preparation (lacking anything substantially helpful) and most of them selling you a service on how they can help you implement a standard. There are not many out there with candour on what it’s like running day to day once established or how to start learning the standard (without losing your mind!) which is what I needed when I first started. I needed someone to give me answers to all the questions I had and show me the key things about ISO27001. Especially the way an implemented standard should be run day to day but all I kept reading was “that everyone implements it differently”. Which didn’t help me at all but made me feel defeated and fed up before I’d even started.
When I first agreed to take on the ISO27001 substantiality I was in the instance like Paul*, full of energy and I wanted to be the best. I’d undertaken ISO standards (9001, 14001 & 18001) implementation, sustainability and audits in previous jobs which Id enjoyed and helped furthered my all-around skills. Though this was different, I wanted to prove myself in my role of a delivery manager and even more, I wanted to prove that I could understand not just the process and the procedures but the technology that falls in with ISO27001.
I was also taking on a strand within our company that someone originally owned and had done things their way. We all know how difficult this can be with changes in processes and procedures from someone new.
I could see the same look in Pauls* face of panic, impostor syndrome and feeling like a failure when we sat down for an hour with a cup of coffee for a chat a week later. It’s the same look I had by my second week into the role when I had to give an update to the head of Business Operations and a senior delivery manager. I felt like I floundered my way through the hour-long report unable to answer their questions or provide them with anything substantial on where we currently stood with regards to the impending audit. I came away feeling defeated and useless when really, I’d just embarked on this journey and shouldn’t have been so hard on myself.
It was a few days after this meeting that I had lightbulb moment as you might call it, this came from talking to one of the engineers on my team. Just like me sitting down with Paul for an hour chatting things through reassuring him, it made me realise that there are other people out there that know lots of bits of information and that I need to utilise them.
In order for me to take it back to the start and feel like I wasn’t floundering, Stewart suggested I ask some questions to the people that had been involved in the original implementation of ISO27001. So, I sat and made a list but there were two questions that kept reoccurring and that seemed the most poignant; Why is this ISO standard so important to us? What value does it give us completing the year 2 audit?
These questions needed to be answered by the leadership team who could answer them and guide me on their vision for the company. This would allow me to determine how I could streamline our ISO27001 processes, procedures and allow fluidity of the daily management and sustainability of the certificate.
I picked off individual members of the leadership team and the people involved in the implementation and asked them all the same two questions. Everyone in their own department had their own individual reasons for why we implemented it and how we move forward but there was always that one reoccurring theme; Our relationship with our customers.
One of the most important elements in the way we work is the trust and relationship we build with our customers. By having the ISO27001 this proved to our customers that we take information security seriously and starts building a relationship based on these foundations.
This theme made me realise that sustaining ISO27001 isn’t just about DevOpsGuys but our customers. It also made me realise that processes and procedures are not set in stone. If they are not working or creating pain, find the root of what they are for and identify ways to change them.
So that is what I have been doing over the past 7 months. I threw the standard to one side and picked through all our documentation, processes and procedures relating to ISO. I’ve asked so many questions and utilised help from throughout the business. We have now got a diverse Information Security Management System (ISMS) team in place which includes people such as our CTO Steve, John from accounts to one of our engineering interns Dominic. We also have a great relationship with Bridewell Consulting who helped implement the standard at the very start and who have just helped us recertify for Cyber Essentials.
Written by our Delivery Manager Kate Martin.