Tips for ISO certification

Chris Foley is the data operations director at MedSurvey.

Over the past four and a half years, I’ve had the opportunity to manage privacy and security for MedSurvey, a fieldwork operations partner for health care market research agencies and consultancies. Taking data security seriously is woven into our company culture. So, when our CEO, Paul Golota, asked if I’d like to make that official by heading up the process of getting certified for the ISO/IEC 27001 – the global gold standard for information security management – my answer was an unequivocal “yes.”

Now, 2+ years later, I’m proud to report that we’ve successfully achieved ISO certification. While the process was well worth it for us; it was nonetheless a big project involving a major commitment of time and resources. We also ran into some unforeseen challenges along the way. 

If your company is considering taking the plunge to get certified, I’d like to share a little about our own thinking behind the decision, as well as some of our biggest lessons learned. I’ll go over our four top reasons for getting certified and five key takeaways that can help you prepare for a smooth certification process.

Four reasons to get ISO certified

For us, the decision to get certified for the ISO/IEC 27001 standard came down to four main factors. Here are the biggest advantages, as we see it.

1. ISO certification makes us better partners to our clients.

It gives us an official badge of excellence that lets our partners know they can trust us to keep their sensitive data safe. Any company can claim to meet the standards set by their clients, but we can now offer full transparency into our data security process – the standards we meet are crystal clear. 

Certification helps our partners win and keep business, which in turn helps us win and keep business. Having independent verification that we meet the highest standard for data security allows us – and our partners – to work with larger and enterprise-level companies, some of which require compliance with the ISO standard. But even when they don’t, we’ve seen more companies across the board asking for lengthy risk assessments and detailed evidence that we can keep their data safe and secure. Before getting certified, this time-consuming paperwork had to be filled out ad hoc, slowing down the sales process for everyone involved. ISO certification lets us bypass these steps. Removing paperwork and back and forth means we can work with our partners more efficiently and we can all focus on the real work that delivers value for the end-client.     

2. The threat of cyberattacks is very real and getting worse.

It seems that new threats emerge almost monthly, and with the rise of AI, we can expect them to become more frequent and difficult to defend against. Any company is at risk because sophisticated cyberthreats programmatically look for vulnerabilities anywhere they can find them. In fact, more than half of cyberattacks target small to midsize companies and 60% of these will go out of business within six months of a breach.[1]

But even a minor cyberattack can become a huge headache. Several years before I came to MedSurvey, we experienced an attack on our phone system and were unable to make calls from our call center. Though there was no risk to our data, business still ground to a halt. We needed all hands on deck until we could get the system up and running again three days later.    

And that experience was mild. For a data collection company like ours, a lot is at stake. We have our own panels of health care professionals who trust us with their sensitive data and we’re also liable for the proprietary data of our partners – a responsibility we take very seriously. We would never want to put our partners’ reputations in jeopardy. Going through the rigorous ISO certification process made sense for us because it put us in the best position possible to defend against an attack. A breach can happen to anyone, but today we can say we’ve really taken all possible steps to secure our own and our partners’ data.     

3. The standard serves as a yardstick for measuring the quality of our security.

Without the standard to judge themselves against, even companies with the best intentions can’t be sure they’re truly secure. Implementing ad hoc cybersecurity measures on your own can be a little like throwing spaghetti against the wall, hoping the strategies you’re using will stick. Implementing the ISO standard gives you outside verification that your company is fully protected. We now know for a fact that our information security management system (ISMS) stands up to the strictest scrutiny. Even though we feel fortunate that the process confirmed our data was already secure, implementing the standard still helped us improve. It exposed us to new knowledge and it revealed gaps in other areas addressed by the standard, such as business continuity planning (BCP).

4. ISO certification sets us up for success in the future.

With cyberthreats getting worse and clients’ standards getting stricter, cybersecurity is becoming more important every day. Fortunately, the ISO/IEC 27001 isn’t a one-and-done standard. It involves continuing education, so we’re always learning about new threats and technologies and it requires continually maintaining and improving our system. Plus, ongoing audits give us additional assurance that our ISMS is up to date. This means we’re not just protecting our clients’ data today; we’re prepared for new threats in the future. 

We’re also ready for changing requirements in our industry. Already, more and more companies are asking for ISO certification and six states are pursuing legislation to regulate data security. Right now, U.S. legal standards lag behind Europe, but we can expect more regulations in the future as the U.S. catches up. Getting certified now puts us ahead of the curve. 

Five key takeaways from the certification process

If I could share just one insight from going through the ISO certification process, it would be this: This is not a project that can be done by halves. It requires 100% dedication and commitment from start to finish. Here are my top five recommendations, based on our lessons learned.

1. Have companywide, top-down buy-in.

Having active support from executive leadership is crucial for successful certification. As the manager on the project, I needed executive backing for things like budgetary decisions and allocation of resources. Without this support, it would have been difficult, or even impossible, to push the project forward. You’ll also need the active participation and support of everyone in the company, regardless of position. Fortunately, our CEO was 100% committed to the project from the beginning, and because he was, everyone else was too. 

It’s worth noting that the standard requires official sponsorship by executive leadership to make sure that implementation falls under the strategic direction of the company as a whole. But sponsorship in name only wouldn’t be enough; in my experience, it’s the attitude of leadership that makes all the difference. 

2. Be aware of staff commitment.

You’ll need designated staff for implementing and maintaining your ISMS on an ongoing basis. Currently we have four staff members responsible for upkeep of the ISO standard. On the implementation side, I manage our ISMS while our VP, information technology implements technological changes such as updating code and firewalls. On the advisory and support side, our CEO and VP, operations are heavily involved. 

You’ll also need a point person to manage the project as part of their job description but having a designated data security lead on your team isn’t a requirement for getting certified. If you don’t have someone who can take over management of the ISO project internally, I would recommend outsourcing the job.       

3. Prepare for a hefty commitment of time, funds and resources.

For us, consulting fees and audits alone totaled in the tens of thousands. We also experienced some unexpected expenses. For example, you’ll want to purchase a range of software and services that improve ISMS efficiency and guard against viruses, and the cost of these can add up quickly. I was also surprised to find some necessary education hidden behind paywalls. Though it might be possible to achieve certification on a shoestring budget, it would undoubtedly be much more difficult.

You’ll also want to have a realistic timeline for the project. It took us two and a half years to achieve certification. This was longer than expected because we didn’t realize how in-depth the process would be, especially when it came to writing policies and establishing controls. It’s important to know that the time commitment doesn’t end with certification. The ISO standard requires educating yourself on the changing cybersecurity environment and implementing new strategies for addressing these changes. You’ll also need to prepare for ongoing surveillance audits between certification renewals.

4. Invest in a risk management platform and a consultant.

Having a good risk management platform will allow you to easily keep track of ISO controls and collect evidence for certification. This is important because the ISO standard requires a lot of documentation about the policies you’ve implemented. Investing in a platform like this helped our audit process go smoothly because it allowed us to easily demonstrate evidence of compliance.

I would also highly recommend talking to a consultant. The consulting team we worked with guided us through the process, acted as mentors and provided materials we needed to implement the standard. You’ll want to choose a consultant with a good reputation and, ideally, familiarity with our industry.

5. Create a solid internal communications plan.

One thing I wish we had a better grasp on upfront was how important a strong internal communications plan would be. Because it takes a companywide effort to upkeep and maintain your cybersecurity system, everyone needs to be kept in the loop. Everyone in the company needs to be educated about how to adhere to the standard and how to actively watch for and protect against cyberattacks. Since you’ll need to implement changes at all levels of the organization, you don’t want to confuse or surprise anyone. Getting a strong communications plan up and running was a big help in moving our project forward.

Implementing the ISO/IEC 27001 standard has been a challenging but rewarding experience for us. If your company is weighing the value against the cost – or if you’re already preparing to pursue certification – I hope that some of our insights can help smooth the way.  

References

[1] Morgan, Steve. (2022). “2022 Official Cybercrime Report.” https://www.esentire.com/resources/library/2022-official-cybercrime-report, retrieved June 1, 2023.