Note: Part-1 Article by "Waqar Mehboob"
In the previous article, I introduced what we will discuss in this series. To summarize, I am talking about the ISO 27001 certification journey for SMBs (Small and Medium-sized businesses) and how we can minimize the cost and time spent while increasing the quality of the delivery.
Choosing the right technology is one of the foundational steps you can take in your ISO 27001 journey. It can significantly affect your overall cost, and the time it takes to achieve and maintain compliance. I have noticed that ISO certification (if I compare it with other compliance regimes such as SOC, NIST, and CIS), ISO 27001, is very document-oriented. There are specific requirements within the standard that require adequate documentation and records.
Back when I started 15 years ago with ISO 27001 (which was called “BS 7799“), there were not many solutions available; however, during the last three years, I have seen and experienced various technologies that facilitate and automate the process. Whether on-prem or the cloud, solutions can be used as-is, out of the box, or even customized for your organization.
For example, let’s talk about Tugboat Logic (acquired by One Trust in 2022). I have been using Tugboat for my clients for over two years. It has opportunities for improvement, but most of my experience with it has been positive. I used Tugboat with my team, the client’s team, and even the auditor. Several other SaaS software similar to Tugboat are available on the market, and recently I have seen several new names on the vendor horizon.
Since Tugboat is Cloud-Based, there is no time required for installation or deployment, and it is ready to use from day one. In 2022, being cloud-ready may sound like a typical and expected thing, but in my experience, a more extensive GRC software, such as RSA Archer, requires an immense effort for on-prem activities compared to that; Tugboat helps me save much time. To be fair with RSA Archer, Tugboat is not a fully functional GRC solution. However, in the context of ISO 27001 compliance, it provides the required use cases for SMBs.
Tugboat has a lot of the ISO 27001 controls prebuilt into the system. For example, many critical controls such as “A.5.1 Policies for Information Security” and “A.12.1 Documented Operating Procedures“. All of these were available out of the box, and since Tugboat automated them, there was no time or additional effort required to implement these controls. The platform provided automated version controls, approval workflows, user acknowledgments on these policies, and access out of the box. Since the software is designed keeping the actual auditors in mind, we were able to get the evidence from the platform with minimal effort.
ISO 27001 requires a comprehensive risk assessment to be done – Clause 8.2 Information security risk assessment and 8.3 Information security risk treatment are also automated in Tugboat, which allowed us to focus on the actual assessment rather than figuring out the “nuts and bolts”. Risk assessment was an easy job using Tugboat. It allowed for concurrent collaboration between Canadian Cyber and the client personnel and gave recommendations for our inherent risks on our assessments. This allowed for a decent workflow for review and approval cycles.
Before using Tugboat, the same client used an Excel sheet with 200+ risk items while duplicating several items. Some of them needed to be more accurate because the platform required controls regarding the update process and the review cycles for these risk assessments. I was happy with this feature as it saved us time and cost. It also allowed us to generate reports for management review and the auditors. These reports facilitated our discussions and approval cycles within the steering committee with the client and their auditors, who told us they were delighted with the evidence submitted.
One thing that Tugboat could improve is the remediation planning activities and tracking for them as well. There is a gap between the platform and our project because we had to meet the compliance requirements and simultaneously allow for a more granular remediation planning for ISO 27001. So, we used the system “Jira” to create tickets for each risk associated with the remediation plans and captured them in the risk assessment on Tugboat. The two were cross-referenced using unique numbers. Using the two systems, we were able to not only achieve the certification but impress the auditors with updates on the progress of the tickets.
Thanks to Jira‘s vast popularity and low skill requirement, Jira can be used for ISO 27001 control processes without incurring license costs on-prem, and for the cloud, you can use it while keeping costs to the bare minimum. The on-prem version for Jira is free, while the cloud version is free for up to 10 users. The best part I noticed about Jira is that I discovered the ability to create custom and automated workflows to allow for further ease in control processes in my last few projects.
Stay tuned for the next article!
The article discusses the importance of proper configuration and maintenance in information security, focusing on ISO 27002 control on configuration management using Microsoft Intune for enhanced security measure
The article elaborates on the Canadian Cyber Virtual CISO service, detailing aspects like consultation, training, strategy development, and ongoing support for handling potential security threats, tailored to help organizations bolster their information security posture.
The article delves into the costs and benefits of the Virtual Chief Information Security Officer (VCISO) service for small to medium-sized businesses (SMBs), covering aspects like cost factors and the value addition through training, mentorship, and real-world cybersecurity experience provided to IT staff.
Note: Part-1 Article by "Waqar Mehboob"
Note: Article by "Waqar Mehboob"