IT Governance Blog on IT governance, risk management, compliance and information security.

In my inaugural post last week I talked about those companies out there who certificate their own work, in particular to ISO27001. I’m not going to go over the same argument again here, but I do feel it would be remiss of me not to address the more pressing, underlying cause that feeds such organisations in the first place: information security can be expensive to do properly.

In particular, ISO27001 can be an expensive standard to tackle for small businesses. That doesn’t mean that there’s any less of a demand for it, however: The “information age” has provided start-ups and SME’s with the tools required to punch well above their weight, often finding themselves in the supply chains for much larger bodies who demand a certain standard in doing business, including how you manage your information security.

What to do in that situation? Well, there are a number of options available:

1. Ignore the subject entirely and carry on regardless. There are a lot of organisations that take this approach. A similar effect can be achieved by shredding tender requests on sight, or betting your stock on the greyhounds.

2. Call in one of those organisations I mentioned last week who certify their own work. You could of course just wander out in to the street and ask passers by if they know anything about information security. Tell them you’ll pay. You’ll be amazed how many experts there are.

3. The DIY approach. This approach isn’t always a bad idea, provided:
a) You have a sufficient amount of spare time to do it properly
b) You invest in the right books, tools and, if budget allows, training
c) You are enthusiastic about the project (I cannot emphasise enough how important this is if you’re going it alone)
d) You’ve got full management support
e) You know where to get help if you need it

The hyperlinks I’ve embedded in that little list may seem like shameless plugging on my part, and to a certain extent they are. The truth is, though, that all the products I’ve outlined are designed and delivered in a manner that will make a good implementation of ISO27001 a feasible option for businesses who cannot afford to purchase the time of a traditional consultant. ISO27001 is an all encompassing standard, that takes a lot of time to understand and even more time to implement if you are new to the subject, but if time is no issue, and you’ve got the enthusiasm, it can be done. Certainly, the sense of achievement gained from taking a business through a successful accredited certification process is not to be sniffed at.

4. You opt for a programme like FastTrack. This service, which you can read about via the link, enables SME’s to get to the point of accredited certification to a fixed, low-cost budget and in a very short timescale. It’s not for every business; there are qualification criteria, but for many SME’s it’s the best solution, particularly if time is a pressing factor.

Ultimately, the route any SME chooses to take for information security is the decision, and responsibility, of the stakeholders. Just remember: you do have options, and there are firms like IT Governance out here to help, in whichever way suits your business best. Just remember that the subject will not go away, and in many ways the best time to implement a standard like ISO27001 is while you are small, so the the structure that such a standard brings to an organisation can be used to help the business grow in a controlled, intelligent and, most importantly, successful manner.