For the project of the ISO, there were two different times and methods of action:
• Before auditorship;
• After the auditorship.
These auditorship documents reflect an internal auditorship that Metyis prepared for the offices in Amsterdam and Porto to be prepared by both offices for the official auditorship to take place at the end of March 2023.
4.1.1 Before auditorship
After understanding the scope of ISO 27001, the following steps were made to prepare for the internal auditorship:
1. Documentation of all the assets present in Porto;
2. Understand how many security breaches the office had and document them;
3. Understanding some of the aspects of cybersecurity;
4. Keep the local team involved in the project.
Documentation of all the assets present in Porto
The first step was to understand how safe the company was prepared for each type of attack and how the Metyis should prepare so as not to suffer any attack. With this knowledge, a document was made stating:
• The name of the assets;
• Who was responsible for the asset;
• What type of asset is it;
o Hardware;
o Electronic File;
o Hard-copy;
• Whic type of information is contained in the asset;
o Personal Data;
o Business data;
• Confidentiality level;
• How protected the asset is.
After understanding which assets the company has, the team tried to understand how much is the problabitily of something happening, the risk of the asset, to each asset and the impact on the business if such of risk happens. To go futher into the study an matrix was made combining both variables state in the first stentence to obtain a more accurate Risk Analyis for each asset, presented in Figure 18. The avlues presetend were defined by the company.
Figure 18: Risk Analysis matrix
After understanding the “Business impact vs Probability” for each asset, some changes started to be made on how some assets were protected, for example, the substitution of closets without doors, where sensitive information was saved, for closets with keys the one represented in Figure 19.
With these small changes, the rest of the employees started to understand how serious the company is about this ISO 27001 and how small things could help to get to the certification.
Extreme Major Moderate Minor Insignificant
Complete operational failure, "bet the farm"
impact, unsurvivable
Severe loss of operational capability,
highly damaging and extremely costly but
survivable
Substantial operational impact, very costly
Noticeable but limited operational impact,
some costs
Minimal if any operational impact,
negligible costs
100% 80% 62% 25% 1%
(Almost) certain
We are bound to experience further incidents of this nature
- in fact they are probably
occuring right now! 100% 100% 80% 62% 25% 1%
Probable
We are likely to experience incidents of this nature before
long 80% 80% 64% 50% 20% 1%
Possible
It is distinctly possible that we will experience incidents of
this nature 62% 62% 50% 38% 16% 1%
Unlikely
Incidents of this nature are uncommon but there is a genuine chance that we may
experience them at some future point
25% 25% 20% 16% 6% 0%
Rare
Although they are conceivable, we will probably never experience incidents of
this nature
1% 1% 1% 1% 0% 0%
Prob a b ili ty
Business impact
Figure 19: Closet now used
Understand how many security breaches existed in the office and document them.
On this topic, the primary security breaches and common errors the employees made on a daily bases were examined, for example:
• Using a door stopper and always leaving the door open so that anyone could go in, including unwelcome people;
• Sharing sensitive information by leaving it on paper at the working desks opening the opportunity for anyone to get hold of that information;
• Leaving the seat with the screen turned on, sometimes with sensitive information on the screen;
These types of situations were corrected as long the team, with communications, via e-mail or during monthly meetings, the door stopper was eliminated forcing the employees to always pass the card on the door to go into the office area.
Understanding some of the aspects of cybersecurity
Since most dangers in protecting sensitive information are on the internet, it is necessary to navigate safely. With that team, those who were more responsible for implementing the ISO 27001, did an online course with Securframe to learn how to defend against some threats. For example, how to identify a phishing type of e-mail.
4.1.2 During the auditorship
To prepare them even better for the auditorship, the people selected to go on the interviews were submitted to practice interviews for a better understand what was expected from them.
The rest of the auditorship was based on visiting the office and understanding what procedures were in case of a security breach and how the Porto office protected its assets.
4.1.3 After auditorship
The result of the internal auditorship was not disclosed, but the audit showed how the Porto team was prepared, and how the Amsterdam office, should follow Porto office’s example in what concerns the ISO27001.
In global terms, more training programs were launched. The rest of the employees did the same cyber training as the experts, and e-mails pretending to be phishing were sent to train and prepare the employees better for the threats of the real world.
Once again, the employees were more involved in the change to be more ISO 27001-compliant in their way of working.