Growing up. It happens to all of us at some stage, and part of growing up means doing the things you've been putting off for some time.
For EndGame, one well-intentioned, but never achieved, task was to reach ISO27001 compliance.
We've made it, and we've learnt a fair bit through the process. Some of it we expected going into it, while some of it surprised us. For those putting it off, we wanted to share our experiences in the hope they provide some value to you. So here goes - our top tips when exploring ways of reaching ISO27001 compliance.
For a task to stay on a 'to do' list for a long time normally means two things - it is hard (requiring energy), or it takes a long time to complete.
With ISO27001, both applied. We knew it would take a significant amount of time, and it did. It was a combination of both thinking and writing time. There weren't a lot of shortcuts to be taken given we committed right from the start to make it right for EndGame.
While the initial stage of identifying, developing and writing policies took time, we recognise that it also takes time to embed the results into the organisation.
Make sure you go into this process with your eyes open, accepting that this isn't a quick fix - allow yourself considerable amounts of time to make it happen!
Related to the point above, once we accepted that it would take considerable time to reach ISO27001 compliance, we adopted an approach that carved out the various policies and processes to be written and assigned these to the wider team.
This reduced the significant workload placed on one individual. It also meant people were able to identify and understand the risks we were trying to mitigate to a greater level. As a result, we feel we have better and more comprehensive policies and processes associated with ISO27001.
This approach also meant people had the opportunity to inject some personality into the policies. Far from being a set of templated policies purchased through an external supplier (which was an option), we now have a set of policies and processes that are completely tailored to our own people and environment, with our own personality added!
As a business built on helping our partners grow sustainable SaaS businesses, we work with organisations of all sizes. Some will have thousands of employees, while others may comprise of only the founder themselves.
We found the key to working with this range of sizes is to make the policies and processes flexible. We've developed a base suite of policies that are non-negotiable. To do business with EndGame, partners must agree to this set of policies. But how these policies are implemented is discussed with each partner and an approach that works for them is agreed on.
It means our partners get the value of a robust approach to information security, while not being forced into any agreements that are overly restrictive for their business. It also means they don't have to succumb to processes that deliver little perceived value to their business.
There is a temptation to make policies and processes all about prevention. There's no doubt that prevention is an important focus. But it isn't the only focus. You can't afford to lose sight of the recovery aspect to information security. Any process implemented needs to consider the recovery of information.
To use a house analogy, it's all very well to have a security alarm at your house to prevent a burglary, but it is prudent to have an insurance policy to replace the goods if burglars make it past the alarm system.
We found by paying attention to both prevention and recovery when developing policies and processes, we ended up with a far more robust solution compared to taking a singular view based on prevention. Like the house example above, we believe it is a more complete solution for information security.
In growing EndGame, we've always been conscious about information security. We've always had policies and processes in place to ensure the information we have is secure and held in a responsible way.
However, we knew we could be better. We felt that by becoming ISO27001 compliant we'd have a more robust set of policies and processes that were recognised at an international level. We knew there would be gaps identified by going through the exercise, and we were comfortable with that. We kept the overall objective in mind - a stronger, more robust environment when it came to information security.
Like growing up, things constantly change with information security. Policies are just the start. It's great to have the initial versions written, but recognise this is just the start. To remain fit for purpose, constant monitoring, reviewing and adjusting is required to ensure the hard work to get to ISO27001 level remains valid.
To be clear, we've never viewed this as a 'set and forget' process. We know it will require an ongoing commitment to ensure we remain compliant, and we're more than ok with that.
Reflecting on what we have learnt going through the ISO27001 compliance process we recognised that it was tempting to leave it on the 'to do' list.
It was a big effort from a number of people throughout EndGame, but we believe there are real benefits to the approach we took.
By identifying relevant risks in the business, we were able to identify the gaps in our current approach that we hadn't considered unless we were going through this process. An example of this was around people. How would we manage if a key person wasn't around when needed?
This obviously led to wider conversations and mitigation strategies. The outcome being that EndGame is stronger as a result.
For our partners, there are clear benefits too. All partners now benefit from an internationally-recognised level of information security that can cater for their business, regardless off their size.
For our smaller-sized partners, this means it's something they don't have to worry about. This means they can get on and focus on growing their business.
It also means they can leverage an enhanced information security level when discussing security aspects with potential investors - giving them the confidence that the business has robust policies and processes in place.
For our larger clients, it means that we can cater our approach to meet their own organisation's needs when it comes to information security e.g. enhanced levels of reporting.
We knew there were other options we could have taken. We could have hired a consultant to do the heavy-lifting in order to get it done. We could have purchased an off-the-shelf set of policies and processes that ticked all the boxes to make EndGame compliant.
In both instances, we didn't feel this was the right approach. We had a strong desire to make this more than a bunch of paper and policies tucked away somewhere that no one paid any attention to.
For us it was important that it felt like something that was important to everyone at EndGame, and that could be embedded into our business with a very EndGame feel. We know there's still work to do, and always will be, but it feels good to be just that little bit more grown up!
We're more than happy to talk through our approach in more detail - if you're considering working towards ISO27001 compliance and want to discuss in more detail, get in touch! I can be reached at andrew.cox@end-game.com