Our journey to ISO 27001 certification began when we lost a major healthcare prospect in 2022. Calling them “a major healthcare prospect” is selling them short. They are the largest healthcare company on the planet. They have an entire department focused on providing services to other healthcare providers and, after an evaluation period, SimpleRisk had emerged as the main stakeholder’s GRC platform of choice.
We were in the final stages of closing the deal when, as part of their diligence process, they asked us for our third-party security attestation. ISO 27001? SOC 2? While we were doing everything right, we simply didn’t have the paperwork to prove it to them.
We ended up amicably parting ways, but a couple of days later I received an email from that stakeholder. He said that was sorry it didn’t work out, but he absolutely loves the product and if we were ever hiring to let him know. I asked him how he’d like to be the guy to help get us certified and he jumped at the opportunity. He started work as SimpleRisk's Chief Compliance Officer in April 2023.
The Initial Assessment
In The Art of War, Sun Tzu says “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” In other words, it is important to understand both where you are and what your potential challenges are in order to be successful. Thus, the first step towards our ISO 27001 certification was to conduct an assessment of our current maturity level against the ISO 27001 and ISO 27002 controls.
Next, we took the results of this assessment of where we were at and compared them to a desired state of “Managed”. To put it simply, a “Managed” state means that all of your controls have an owner identified and held accountable along with formalized policies documenting employee expectations and procedures for how things should be handled. The difference between the current and desired state of maturity is what’s called a “gap” and these gaps were then captured as risks in our risk registry along with recommendations for what needed to be done to reach our goal.
Time Elapsed: 2 Months
Policy and Documentation Creation
The results of our gap assessment painted a pretty clear picture for us. We were doing the right things with respect to security, but they were being done informally, for the most part. Essentially, we were lacking Governance, which I admit is ironic for a GRC company, but also not unusual for an organization of our size. We needed to create policies, guidelines and standards that would define expectations for how our organization operates.
You essentially have two options when it comes to your Governance documentation. You can build it or you can buy it.
If you have the money, I’d highly recommend the Digital Security Program from ComplianceForge. It costs just shy of $10k, but the customers who we’ve sold it to have sidestepped all of the time and effort that it takes to create the content.
From the “build it” side of things, you can always hire a consultant to do it, but the cost of a consultant quickly dwarfs the cost of the ComplianceForge DSP. That said, it turns out that this is an area that Artificial Intelligence excels in.
Go to ChatGPT and run the following query and you’ll see what I mean:
“You are an expert on Governance, Risk Management and Compliance. You are creating the Governance documentation for a [ORG TYPE] organization with [EMPLOYEE COUNT] employees based in the United States. Your first task is to create an Information Security Policy template for the organization to begin using.”
You’ll have created your first Governance policy in seconds with the help of the AI. Repeat this step for any other necessary policies like Change Management, Asset Management, etc, and in a very short time you’ll have created all of the templates that your organization will need. You will still need to customize them, but it will cost you nothing.
Creating and reviewing all of the policies, guidelines, standards and procedures for SimpleRisk took us about four months.
Time Elapsed: 6 Months
Auditing the Controls
When it comes to GRC, controls are just the things that your organization does to manage risk and ensure compliance with laws, regulations and internal policies. In our case, ISO 27001's Appendix A provides us with the list of controls which they feel are required for data security and privacy. We can still decide if there are controls that don’t apply to our organization for whatever reason, but these are explicitly called out in a document called a Statement of Applicability. Thus, our next step in the process was to evaluate our effectiveness for each control.
This is yet another place where Artificial Intelligence can help us to speed up this process, because we have to create one or more tests for each of our controls. These tests need to be specific to our environment and need to be able to demonstrate to an auditor that we do what we say we do. Let’s take ISO 27001 Appendix A control 5.1, which states that “Policies for information security shall be defined, approved by management, published, communicated to relevant parties, and reviewed regularly.”
Go to ChatGPT and run the following query:
“You are an expert on Governance, Risk Management and Compliance. You are creating the control validation for a [ORG TYPE] organization with [EMPLOYEE COUNT] employees based in the United States. There is a control which states that “Policies for information security shall be defined, approved by management, published, communicated to relevant parties, and reviewed regularly.” What tests should they use to validate that we are in compliance with this control? Please provide me with a test name, recommended test frequency, test objective, test steps, estimated time to complete the test and expected results.”
This will return everything that you would need in order to validate that the ISO 27001 Appendix A 5.1 control is in place and operating effectively. Note that the first sentence in each of my queries is giving the AI a role to use. This is a common technique to ensure that you get the best results possible and I highly recommend that you follow suit with your own queries.
You’ll need to define tests for each of the controls in your framework and then run those tests to validate compliance. A GRC platform will help you to organize all of this, but whatever you end up using to do it, make sure that you are saving all metadata associated with your testing (spreadsheets, screenshots, etc) so that an external auditor can review it later.
This was by far the most difficult and time consuming part of the ISO 27001 certification process. It took us approximately ten months to complete, but the hardest part was done.
Time Elapsed: 16 Months
The Third-Party Audit
In August 2024, we began the third-party audit portion of our journey. We selected our audit firm because they had experience working with smaller organizations and familiarity with similar environments built in the AWS cloud. Not all third-party audit firms are the same. Make sure that you interview several before selecting one, and consider all of the various factors that would influence both their success, and subsequently, yours. Also, ensure that the selected audit firm is accredited by ISO to provide an attestation. There is a vast difference between an ISO certificate and an ISO certification.
For an ISO certification, the audit consists of two stages. The first stage was a single- day effort covering the high-level ISO requirements and the policies that support them. It aimed to provide us with areas for improvement before the real audit began and we were provided with time to make those changes.
The second stage was a four-day deep dive into ISO 27001, the Appendix A controls and all of the associated evidence. I took the opportunity to make a light-hearted bet with my Packer loving compliance compatriot. If there were no findings, then I would wear a Packers hat for the next week of customer calls. However, any findings, and he’d have to hang a Vikings flag in his office until they were remediated.
It turns out that of the 50 documented, reviewed and approved policies, procedures, guidelines and standards created, there was one which he had failed to update the status of. It was our only finding. One that was simple to remediate, but a finding nonetheless. He was a good sport about it and held up his end of our bet.
After 18 months, SimpleRisk had successfully passed its ISO 27001 certification!
Time Elapsed: 18 Months
Conclusion
Ultimately, I don’t feel like we did anything special to obtain our ISO 27001 certification in 18 months. We had one employee keeping the ball in motion, while also juggling a number of other things. We used our own SimpleRisk GRC platform to help manage it all, which also helped us to identify several areas where we could improve the software to make life better for our customers. I don’t see any reason why any other organization couldn’t follow suit with the right team, tools and perseverance.
