Between 2023 and 2024, Practical Infosec implemented ISO 27001 for iWebDevelopment. We were delighted to get this client certified to ISO 27001 in September 2024, which was a testament to the activities that had been undertaken over the previous year.
Personally, it was a really fun project and a great opportunity to be a part of. We thought now would be a great time to reflect on this project, sharing highlights of the journey.
Who is iWebDevelopment?
iWebDevelopment is a Dutch-based business that provides a connector service allowing for web-shops, marketplaces, CRM, and banks to link with their accounting software on a global scale. Their founder and director, Yannick, was our main source of contact during this engagement, contributing to the success of the project.
iWebDevelopment are now proudly certified to ISO 27001, as seen on the UKAS public register.
What is ISO 27001?
Simply put, ISO 27001 is an internationally recognised standard for establishing, implementing and maintaining an Information Security Management System (ISMS) within a business.
An Information security management system (ISMS) refers to a structured approach within a business, consisting of the policies, procedures, processes and systems in place to manage sensitive information.
The goal of the ISMS is to ensure the confidentiality, integrity and availability of this information by identifying any associated risks, implementing necessary security controls and continuously improving business security practices.
ISO 27001 is one of the most globally recognised standards in regard to information security. For a more in-depth breakdown about the process, you can read about it on our website.
In a nutshell, ISO 27001 helps manage information security risk within a business.
Implementing ISO 27001 in a small business
Typically, ISO 27001 is more commonly implemented within larger businesses. However, small businesses can also reap many of the benefits this standard provides. This standard helps provide a structured framework approach for small businesses, managing their information security risk.
From our experience, small businesses tend to have less processes in place around information security in comparison to larger businesses.This makes all the sense given the time, resource and costing involved in managing information security.
To read up more on why ISO 27001 makes sense to implement within a small business, you can read our previous blog on this topic here.
How long did it take to implement?
For iWebDevelopment, we were given the task to implement ISO 27001 into their business, with a projected timeline of 12 months. We kickstarted the project in the back-end of summer 2023, with certification achieved in September 2024. Spacing the project over this period gave us an opportunity to slowly and carefully ensure we are implementing the right changes, not rushing for the sake of “check-box” compliance.
Yannick’s strong desire and involvement to improve security was critical to the success of the project.
Given how the project was spaced out, this gave us a good timeframe to build an ISMS that fits the business, factoring in their context.
What did we do?
We had previously worked with iWebDevelopment on smaller projects, but this project was a step up in scale and complexity. Although we were not starting from scratch, the foundations that were laid helped contribute to overall success. Over the course of this project, we developed key documentation, such as information security policies and an asset register.
To ensure frequent meeting times were scheduled, we established biweekly collaborative meetings with the business director Yannick. These biweekly meetings were invaluable for collaborating with the director, gathering crucial information, aligning behind-the-scenes activities, and tackling tasks together. Thanks to these sessions, we were able to gain a deeper insight into critical platforms, how they operated, alongside their security configuration.
ISO 27001 is typically implemented using the Plan, Do, Check, Act, cycle, which was the backbone of the project. The journey began with a gap analysis, assessing different security pillars holistically. This helped pinpoint areas to prioritise, such as measures that were not currently in place. One standout area was a lack of frequent training and awareness for employees. We tackled this almost immediately by running a first training session in Q3 2023, helping to sprinkle a flavour of security across the culture of the business.
Laying the Groundwork
The focus in Q3 and Q4 of 2023 were dedicated to gaining a feel for the business. This period was all about capturing contextual information, helping to address clause 4 of ISO 27001. We worked closely with the director to identify interested parties and document their expectations, ensuring we didn’t overlook anything in the implementation of our ISMS. Around this time, we made significant progress in building the asset register, which allowed us to identify critical assets and their security measures.
This work naturally fed into the risk assessment process. Using industry data reports, we examined various scenarios and identified key risks to the business. Once the risks were defined and scored by severity, treatments were then determined, prioritised and addressed throughout the project.
Focus on software development
The core function of iWebDevelopment’s business activity is around software development, this became a key cornerstone of our efforts. We conducted an in-depth review of the businesses development practices, using guidance provided by the NCSC, to identify any gaps in their process compared to best practice. This led to the creation of the software development policy, supported by a security training session for developers.
Building the Information Security Management System (ISMS)
As we progressed with the project, the documentation and insights we had collected enabled us to perform targeted reviews. One highlight was conducting compliance reviews against security requirements from third-parties. These requirements had been identified through reviewing any documentation, such as policies and contracts, provided by these third parties. This ensured that the business were meeting their obligations, whilst also identifying any gaps in the ISMS.
Taking momentum into 2024
Shifting into 2024, we launched the training and awareness plan, providing staff with live quarterly training sessions. These sessions were shaped more to the business, thanks to the information captured along our journey at that point.
Simultaneously, we focused on creating new policies and updating any existing policies to instil security best practices that also practically fit iWebDevelopment.
The findings from the activities conducted to this point allowed us to set the information security objectives. These objectives provide iWebDevelopment with key targets that it would like the ISMS to achieve.
Throughout 2024, we worked on ensuring the right documentation for ISO 27001 compliance existed. Documents such as the statement of applicability were looked at, assessing which Annex A controls were relevant. The consistency with these steps took us closer to the auditing stages.
Having our homework marked - the audit stages
By the time Q3 2024 began, we felt confident that the ISMS had reached a mature stage, ready to be audited against the ISO 27001 standard. To ensure impartiality, we engaged an external third party to conduct the internal audit. This step made it feel very official, offering an opportunity to evaluate the project’s strengths and identify areas for improvement.
The internal audit was a very thorough process, and the entire ISMS was measured against the ISO 27001 standard. As expected for a first-time audit, a few gaps were identified, but nothing major. The findings raised were invaluable, helping refine the ISMS before the external audit. One finding that improved the ISMS was setting key performance indicators (KPIs) for the information security objectives. These KPIs were integrated into quarterly assessments, providing clear targets to be measured against.
Between the internal and external audit, we held the management review, using the agenda found in Clause 9.3 of the ISO 27001 standard. This allowed us to revisit and reassess areas that had not been reviewed since the start of the project, such as if there were any changes in needs and expectations from interested parties.
The external audit was conducted by a UKAS-accredited firm. The two stages took place between the end of Q3 and the start of Q4 2024. Overall, this process achieved the desired result, although at times it did feel very much like the business context wasn’t fully considered and some focus areas were not super relevant. Despite these challenges, we performed strongly in the external audit, and iWebDevelopment proudly achieved their ISO 27001 certification.
Having our ISMS assessed and seeing it certified was a very rewarding moment. This was a true testament to all the dedication that had been put in over the previous year from all those involved.
Any pitfalls?
Any large project will have its fair share of challenges, ISO 27001 implementation is no exception. Over the course of this project, we did encounter some hurdles that provided valuable lessons.
Our initial challenge was navigating the ISO 27001 standard. Although this standard is intentionally concise, sometimes it was not as clear to determine next steps or set priorities during implementation. This has become more manageable as we are more familiar with the standard’s expectations. The auditors further helped here by showcasing their expectations and priorities for the maintenance of the ISMS.
Another issue we encountered was finding an internal auditor from an external company. Few companies advertise this service online. Out of the few that did, there was a lack of transparency on costs and what to expect. Fortunately, we managed to find an excellent internal auditor from Daisy.
For anyone who is also implementing ISO 27001, I would recommend booking your audits earlier in the process. We scheduled audits from Q2 2024 onwards, however, lead times can typically range from weeks to months. This can create unnecessary pressure if you have a strict timeline to stick by. These lead times resulted in the project being delivered slightly later than expected. Moving forward, we know to plan these audits in advance to avoid having to run around finding best availability.
Furthermore, our experience with the external auditor wasn’t entirely smooth. Despite the firm being accredited, their approach felt misaligned. Challenges arose from the auditors deep diving into areas of less relevance to the business and their risk. The reports produced had a handful of inconsistencies and grammatical errors.
What did the client think?
iWebDevelopment thought very highly of the work we had done. Particularly they liked “the pro-active approach in helping us, coming up with new ideas, very structured working and quality of work”. They were also appreciative of us taking work load on such as requesting quotes and hosting calls with auditors, and presenting the client options to pick from.
What next?
The journey to successfully implement ISO 27001 for iWebDevelopment was driven by collaboration, contextual understanding and continuous improvement. As they continue their journey, we begin to shift focus from building, to maintaining, expanding and improving the ISMS. iWebDevelopment is now well-positioned to maintain ISO 27001 compliance, while adapting to a constantly evolving threat landscape to safeguard their business effectively
For us as consultants, this project was not only a rewarding learning experience, but also a proud moment of achieving our client’s desired outcome.
If small business cyber security is an area you wish to focus on, any enquiries about ISO 27001 or anything else, you can book a free call here or get in touch.
Comments