Nov 1, 2016
Why Your Developers Fear ISO 27001 and How To Change It
Your organization has decided to go for ISO 27001 certification, and your development team is not exactly fond of the idea. As the project kick-off date is getting closer and closer, you have overheard water cooler conversations that there is talk of open resistance by veteran employees that would rather migrate to a new company than comply with the new requirements that the ISO 27001 standard may bring.
This scenario is way more prevalent than one might think, however with some precautions and adjustment to your project plan, even the most resistant team members can realize the benefits of implementing ISO and likely come around.
Understanding the ISO 27001 standard
The whole idea behind the ISO 27001 standard is to implement and continually improve an ISMS (Information Security Management System). While that is no easy task, it can come with plenty of benefits to the business and the business objectives.
An established and properly managed ISMS will provide a risk-based, systematic approach to dealing with information security concerns, ensuring that essential data aspects such as confidentiality, availability and integrity are adequately protected.
The certification benefits are quite numerous, aside from a more mature approach to dealing with information security incidents, and lessening their impact, an ISO 27001 certification will make it easier to comply with various regulations. It also provides your sales team with that much-needed marketing edge, differentiating your company from competitors, especially when you handle sensitive information.
So, what makes ISO 27001 scary?
Usually, an ISO 27001 implementation will require a lot of effort, work, and discipline. In most cases, it creates a new paradigm regarding data protection, profoundly impacting corporate culture, with more policies, norms, and procedures that are mandatory.
Most people will be put outside their comfort zones, feeling that their work is scrutinized under a microscope. For the development team, one valid concern includes how much additional work will be required, in addition to the time and effort to ensure current systems are compliant with the new set of policies. Then there is documentation, which when introduced to an organization without any formal documentation procedure, can be very intimidating.
This perception of ISO 27001, as a bunch of additional excessive and pointless work, is more than enough to put development teams on edge, but add on first and third party audits, and you're in for a tough time. Audits are thought of like a hunt for mistakes, with severe punishments for any infractions found.
How to make ISO 27001 team's new best friend
It is understandable why an ISO 27001 implementation can be a scary project for your development team. In truth, most concerns arise from an inadequate understanding of the positive influence the new standard will have on the organization, and ultimately the employee, in the long run.
So, what can you do to help with changing these negatives into to a more positive view:
Additional work a more efficient way of working
What may seem like extra work at the beginning will inevitably turn into a way more practical approach to development in a not so distant future.
Implementing a secure development policy and system change control procedures might be challenging initially, but try to emphasize the benefits of increased security in development practices. Take change management or documented development testing, for example. Implementing these procedures will have your employees spending less time trying to fix things or putting out fires. Your development team will be much more efficient and can focus on other projects, innovation, or fun, new R&D.
Make your development team a part of the ISO 27001 implementation project
Involving people from the beginning is a sure way to earn both their trust and goodwill. Since most problems arise from a poor understanding of ISO's benefits, ensuring key members of your development team know this is a strategic project, critical to your business, which will create a safer, more efficient way of delivering value to business, is a necessary step into changing the current mindset.
Adhering to ISO's additional requirements might seem confusing at first, but well-developed set policies and procedures will not make work harder, much to the contrary! If you involve stakeholders from key departments from the very beginning, you are much more likely to receive that stakeholder's buy-in, and ultimately the team below them, ensuring corporate-wide engagement.
Top management commitment
Even the best-laid plans can go sour. Presuming you involved your development team from the beginning, demonstrated how much more efficient they as employees will become, and explained to them how important the ISO 27001 certification is to business, by now most of them are board and see the value. Most of them.
Some people are so resistant to change that no amount of explanations, justifications, reasoning or even supplications will suffice. The seriousness of this scenario is increased when the position involved is critical to business or the success of an ISO implementation.
Managers and directors should play a central role demonstrating they are an integral part of the project, and that organization cannot allow for exceptions. It is imperative to remember that, no matter how you excel in adhering to most controls or policies, a single major non-compliance is more than enough to prevent your company from being certified.
Some cases will require direct action from top management, including directly talking to dissidents, or in extreme circumstances where there is no other option, taking the difficult decision of letting an employee go. Just make sure they understand the company took every action possible to avoid it.
Since you are required to recertify to ISO 27001 every three years, the key to a proper ISMS implementation and management is a change to corporate culture overall hierarchy levels.
Over time, information security will become a part of your company's DNA, and while subsequent re-certification will become an easier task, the benefits of a new maturity level will become clear and practical.