Web agencies want to achieve ISO 27001 certification to protect the supply chain
Many corporations are having to fight off cyber attacks and cyber espionage. Employee data and client data might be at stake every day of the week. As these large companies delegate part of their organizational tasks to midsize service providers, they pass on the threat risks to them, too. These service providers tend to outsource special project work to even smaller service providers. This is because their expertise is so niche that building this competence inside the midsized organisation is not fruitful. Unfortunately, these smaller organizations are now feeling the weight of having to handle the increased cyber risks. They are being pressured by their middle men to also become ISO 27001 certified. The large corporations are expecting their suppliers to maintain a clean deck by also making their suppliers be compliant with the requirements of ISO management standards.
ISO 27001 Certification for Web Agencies
As many web agencies only have a small number of full time staff, building and running an effective information security management system can be very daunting. As they draft their policies and procedures, they will have to see what kind of security measures they can management and afford. A small 5 person agency can not afford to buy an enterprise level Cisco Firewall. They do not have the technical expertise even to set it up. ISO 27001 looks at information security. Hence, it is not just about technical measures but also about organizational controls.
Why is this important to your clients?
As previously mentioned, corporations are experiencing cyber attacks from all sides. Hackers, cyber criminals and corporate spied have realized, that it is easier to enter a secure enterprise network, by using the access points provided to outside organisations. Hence, suppliers are increasingly becoming the target of well coordinated cyber attacks. In many cases, these smaller organizations do not notice that their infrastructure has been compromized. A recent study showed that more than 70% of successful cyber attacks hitting corporations, have be made possible by the supply chain. When corporations motivate their suppliers to improve their information security posture, then the risk exposure of the corporation also starts falling. This positive response justifies corporate compliance to even demand ISO 27001 certification for their smallest suppliers and outsourcing partners. In some cases even a 5 person company might have to go to all length of ISO certification, just to not loose that valuable corporate client.
What are the neccessary steps for web agencies?
In order to become ISO certified you will need to follow these 11 steps. It is advisable not to leave a step out or change their order. You might get lost, confused or even fail the certification audit.
Step 1: Committing everyone to the ISO 27001 goal
The management of such a web agency or outsourcing provider will need to commit the necessary resources to build such an ISMS. They will need to explain to their staff, why it is important for the business to implement such a management system. From here you will set up your project plan and decide who will be in the core project team. Often der business owner and the most experienced technical person will be in that core team. The boss is often the primary contact for the certification body and other organizations. Hence, the company boss is the one, that will have to withstand all the pressure to give up the goal of achieving the iso certification.
Step 2: Understanding what ISO 27001 expects you to do
Before writing any text, you will need to first gain sufficient understanding of the standard ISO 27001. There are a variety of compact and massive books that you can choose to read. The compact guides are often the best choice for understanding what it is all about. If you want some book suggestions, then please go to our book recommendation page.
Step 3: Start a DIY project or get help from ISO Consultants
Now that you understand what ISO 27001 is all about and what you need to do, it is time to start drafting the first documents.
- Option #1: You can do all this work by your own. In that case you need to attend detailed courses, so that you are not lost in the woods. You could buy an existing ISO 27001 template from the web for a 1k or less, but be aware that they might lead you into false sense of readiness.
- Option #2: The other option would be, to get help from an ISO expert. These Consultants have experience in drafting the ISMS documentation. Since its not their first project, they should have templates at hand, which they will need to customize to your organization’s nature. It is not enough to simply copy and paste your company name into an ISO 27001 template.
Step 4: Train your staff in Security Awareness
You need to train your staff so they have the necessary security awareness. Only train the staff that will eventually be in the certification scope. Hence, if you are only including your webdeveloper team in the scope, then only train your leadership and the developers. If you want everybody covered, then get everybody trained. Since the cost of security awareness trainings is by far lower than the cost of a data breach, it is a sensible investment for your webagency to train all your staff members.
Step 5: Activate your ISMS
When you believe that your ISMS is ready to be used in your business, then announce the management system as activated. Your staff needs to know that from the set date, the policies and procedures in the ISMS are obligatory for everbody in the company. Collect from every staff memeber a commitment to the ISMS by letting them sign a document of commitment.
Step 6: Conduct an internal audit
You will need to conduct an internal audit of your management system and how it is actually being used in the daily business. Do not rry to audit your own work, as you will see what you need to improve. Having a 3rd party act as internal auditors is a good way to make sure your ISMS is ready for a certification audit in the near future. There are many ISO consulting firms providing internal audit services. They do not always need to come to your office, as an internal audit may be conducted remotely. The only reason for an onsite audit would be the inspection of server rooms and other endangered facilities.
Step 7: Conduct the management review
As a web agency you are used to reviewing project work. Now it is time to review the results of the internal audit and commit to fixing the highlighted issues in your ISMS. Review also suggestions from your team, where you can improve information security. Set dates till when the particular activities need to be completed and check later on, that they have been done in an effective way. If the ISMS is ineffective then an auditor from a certification body may reject the ISMS as non-compliant to the ISO 27001 standard and not recommend the issuing of the ISO certificate. So, fix the issues and get everybody to play by the ISMS rules.
Step 8: Apply for certification
When you are ready to get audited, you will need to apply for certification. This is done by contacting a certification body and asking to be audited. After providing the requested information, you should receive an offer. Accept that offer and make arrangements for a suggested audit date. Keep in mind, that ISO 27001 auditors are usually very busy and hard to get. So make time in your calendar to get audited. You might have to wait a few weeks or months.
Step 9: Be ready to be audited as web agency in accordance with ISO 27001
The day when the auditors of the certification body arrive, you should be well prepared. You do not need to learn your ISMS off by heart. It is advisable to know your way along your ISMS documentation. Make sure your staff is avaibable should the auditors want to ask them questions. There is no reason to be scared. In order to become ISO 27001 certified as web agency, you need to show that you are able to follow the procedures and policies you set in your ISMS.
Step 10: Be patient for the response from the certification officer
In accordance with the ISO standards and IAF rules, a certification body must inspect the audit report and evidence collected by the lead auditor. The lead auditor may recommend that your web agency be issued an ISO certificate but the final decision has to be made by the certification officer. The reviewer will check the audit documentation and confirm to the certification officer that the audit is compliant and that there are no reasons to refuse the issuing of the certificate. Upon this feedback, the decision will be favourable. The certification staff will then have your certificate issued and sent to you.
Step 11: Share your certification success
Now it is time to celebrate the achievement of that great ISO 27001 certificate. Let your suppliers and business partners know how well things went. Recommend to them, to also become ISO certified. Of course, don’t forget to tell your clients, that you are now compliant with their requirements. You are now officially ISO 27001 certified. Don’t forget it is your management system, that is certified. You can not get ISO 27001 certification for your products, as this is a management system certification only!
What is your next challange after ISO 27001? ISO 42001
Now that your web agency has a certified information security management system, it is time to look at what you are doing in your business. Many agencies are increasingly using aI to be efficient and competitive. If you use AI or develop AI tools then you need to look at the increasing demands for AI governance. In order to show that you are compliant when using or developing AI technology, you will need to set up an AIMS. This artificial intelligence management system (AIMS) is similar to your ISMS.
Get an ISO 42001 certificate AI driven web agency
As an innovative web agency you should have an AIMS and an ISO 42001 certificate. Stratlane has access to a range of AI experienced auditors who understand what AI is. Some of them even team AI topics at universities around the world. If you are looking for an ISO 42001 consultant with special AI expertise, you can ask us for recommendations. We will then make some suggestions who to ask for help. As a certification body, Stratlane may not provide consultation services. That is why we can only make suggestions who could deliver that customized consultation.
An ISO 27001-certified partner is a trustworthy supplier
When you use an ISO 27001-certified company will expose a larger organization to fewer risks. Hence, the risk of experiencing data breaches will be substancially lower.
Our Services
A Few Words About Us
Stratlane Certification is an innovative Certification Body using AI and experienced industry experts to audit organizations.