Key take aways using ISO27001 in an SME

When small medium-sized companies (SMEs) decide to introduce an information security management system (ISMS) according to ISO27001, it is not an easy matter. Compiling the ISMS documents is difficult without specialist knowledge. It is not enough to buy one of the common ISO27001 practical books from the bookstore. A book cannot explain the complex subject area so well. Training is simply better here. Nevertheless, the specialist book and training complement each other perfectly. At this point you will gain experience from the use of ISO27001 in SMEs. They show how small corporations can successfully achieve the ISO27001 certificate. After certification, however, the certified companies must put the regulations into practice on a daily basis.

Implementation of ISO27001

The introduction of a new management system required several changes in the organization. Employees must be prepared for these changes. In this way, technological changes can also be implemented successfully and sustainably.

The preparation phase for ISO27001

Checkliste für ISO 27001 Zertifizierung

When preparing for certification, companies must use several checklists. This way you avoid overlooking important documents or aspects. If you submit poorly prepared documents to the certification body, the audit can be rejected.

Drafting the ISMS documents

With the help of the checklists you can create the required documents step by step. However, the list of important assets is problematic. This is where things usually get quite confusing. Thinking for a long time slowly leads to the individual positions. You have to assign the risks and responsibilities.

Involve employees in the ISMS Project

Betriebliche Veränderungen kann man im team besser lösen

If you want to integrate ISO27001 into your business processes, you can’t alienate employees by turning all their usual processes upside down. It is best to include all employees in a specific work group. This means there is less resistance and the processes can be supplemented with aspects relevant to ISO 27001.

Improve the security of networks and devices

It is not enough to create and store a collection of documents. Information security requires employee involvement and infrastructure improvements to protect data at risk. In some cases you have to get rid of outdated equipment. You can’t still run computers with Windows 95 in 2024. At the same time, you should rethink your network segmentation. An updated network diagram is easy to create. All you need is pen and paper. You can already discuss with your colleagues whether the structure can be improved. It is not always necessary to invest large amounts of money in technology to improve information security.

Consider information security as part of the business model

Startups und IT Admins brauchen Hilfe bei IT Sicherheitsthemen

In the age of digital transformation, medium-sized companies must modernize their processes and activities. But this also means that they accept information security as a natural part of their business model.

Lessons learned from implementing ISO27001 in an SME

Many companies think that ISO27001 should be an IT department project. That’s where you’re wrong. Information security must be placed at the top of the management team – i.e. at the very top of the hierarchy. But that doesn’t mean that the managing director finds his mailbox overflowing with ISO 27001 topics every day. Medium-sized companies and corporations commission a suitable employee to carry out the project. this acts like a project manager. In an SME there are not that many employees who seriously have the time to devote to creating the many documents.

Therefore, the pragmatic approach here is to commission a consultant to create the documentation. This saves you a lot of frustration and many sleepless nights before an audit. If you try to build the documents from scratch yourself, it will take much longer. This is valuable time that should actually be better used elsewhere in the company.