For IT service providers, a certified information security management system (ISMS) in accordance with ISO 27001 is now more important than ever. The introduction not only brings challenges, but also opens up new opportunities - for more structure, security and trust. In this article, we look back on our own journey and openly share what we would do differently today.
At Netstream , the introduction of our information security management system (ISMS) in 2022 was more like a rush job. Nevertheless, we managed to implement the ISMS in just under three months. After our first recertification audit - which takes place every three years - we look back and ask ourselves: would we do it again today? Not quite.
Our original expectations were anything but optimistic. When we first considered the idea of ISO 27001 certification, we expected costs in the six-figure range - and anticipated a project duration of one to two years. No wonder the topic was initially shelved again.
With growing market demand and increasing requirements for information security, we finally decided to tackle the issue proactively. Our goal was clear: to implement ISO 27001 certification efficiently and sustainably - and in a way that suits us as an SME.
Steps towards setting up our ISMS: implementation and findings
1. estimate budget realistically
To be honest, we initially had no clear idea what costs we would actually incur when introducing an ISMS. Earlier projections clearly seemed too high. We therefore opted for a pragmatic approach: instead of working with a fixed budget, we considered what the step towards ISO 27001 certification was fundamentally worth to us - and constantly questioned this benchmark.
For many, starting a project without a fixed budget may seem daunting. However, with a small team and short decision-making processes, this flexible framework has helped us to invest in a targeted manner - without losing control.
2. accept help
It was clear to us from the outset that it would be difficult without professional support. So we set out to find a consulting partner who understood our situation and could help us build an ISMS that suited us - pragmatic, efficient and feasible on a day-to-day basis.
3. ISMS in the right dimension
We didn't want to create a system that is convincing on paper, but is almost impossible to implement in practice. That's why we made sure from the outset that our ISMS remained pragmatic - without losing the claim to seriously and comprehensibly fulfill the ISO 27001 requirements.
4. involve the team - not just inform them
Don't make the mistake of simply throwing the decision to introduce an ISMS over the fence. Ultimately, it is the employees who have to live the system.
It was therefore important for us to involve key people at an early stage instead of just informing them. We spoke openly about fears and reservations, but also took up ideas from the team and integrated them into the implementation.
5. clarify tools and structure early on
Our first version of the ISMS was scattered across various tools and platforms: Word, Excel, Confluence and countless folders.
Specialized software is not absolutely necessary, but it can provide enormous support, especially in areas such as risk management or policy management.
Today, we rely on a central ISMS solution, but supplement it with tools such as Confluence and Jira - because they have proven themselves in our day-to-day work. What also helps: a clear and simple guideline for employees on where to find which content.
6. consciously define the scope of application
What does our ISMS actually include? To be honest, we didn't have a clear answer to this at the beginning.
Today we know: A well-defined scope not only simplifies the documentation, but also the entire certification process. Back then, we took a step-by-step approach.
7. correctly identifying risks - and not sinking into them
Our first risk analysis was a confusing Excel monster that regularly caused us headaches. We often weren't sure ourselves what we were actually evaluating.
It became clear relatively quickly that we needed a solution that would help us to record risks in a structured and comprehensible way - while also maintaining the necessary overview.
The switch from Excel was more time-consuming than expected, but it was worth it. Today, we work with a specialized SaaS tool that supports us in both assessing and tracking risks.
8. develop guidelines that you can live by
A guideline is quickly written, but it is by no means automatically helpful.
We realized early on that it is crucial to ask ourselves with every policy: Is it really relevant? Is it understandable? And, above all, can we implement it in everyday life?
There is a great danger of getting bogged down and ending up with a system that is formally correct, but that nobody really lives by. Our goal has therefore always been: as much as necessary, as little as possible.
9. document, document, document
A central, but at the same time laborious aspect of the ISMS. If documentation is not considered from the outset, it will come back to haunt you later. Auditors want to see proof at the end.
ISO 27001 does not prescribe how documentation must be carried out - and this is precisely where the opportunity lies. We have chosen a way that suits our way of working: Today, we rely on Jira, supplemented by Confluence, and document directly where we work anyway. This saves time and creates an overview.
10. not everyone needs to know the Cryptographic Policy
One of the biggest fallacies when introducing an ISMS is that everyone now has to know everything. They don't have to. Instead of distributing entire collections of guidelines, we have thought about this in a targeted manner: Who needs what knowledge? One well-placed piece of information is worth more than 40 pages of policy that nobody reads.
11th audit without panic? Preparation helps.
Everything came together during our first audit in early 2022: Pandemic, online audit and half a team sick. The audit was conducted via video call - with a split screen, spontaneous questions and the expectation that all documents could be found straight away. We had filed everything somewhere, but the search for certain documents at that moment was... let's say: challenging.
Today, we know what helps: compile all relevant evidence, policies, reports and links in advance - preferably sorted by standard chapter. This keeps the pulse down, even when the camera is rolling.
12 After certification is before certification
Once you have the certificate in your hand, you might think you've done it. But actually, the work only really starts after that.
Since our initial certification, we have completely overhauled our ISMS more than once - rethought, reorganized, rebuilt. Not just for fun, but because we realized: An ISMS must fit the company, not the other way around.
We take a more relaxed view today: the ISMS is not a completed project, but a living part of our business. And if you get it right, it's actually quite useful.
Conclusion
Our entry into the world of information security was rather bumpy - with lots of questions, a few detours and some spontaneous decisions.
Today, three years later, we have an ISMS that suits us: liveable, effective and constantly in motion.
What have we learned? That perfection should not be the goal. An ISMS can grow, adapt and sometimes be rethought - the main thing is that it remains practicable.
And yes, the investment has paid off. Not just because we are now certified, but because we understand risks better, have structured our processes more clearly - and the trust of our customers and partners has been strengthened.
For all those who are faced with the decision: Start pragmatically, remain flexible - and don't see the ISMS as a compulsory exercise, but as an opportunity to better position the company.
