By Cynthia Wagner, Security Manager and CISO at Restena
As the manager of the ISO 27001:2013 certification process at Restena, I am proud to have successfully completed the long journey of the implementation of our information security management system (ISMS). At first, the main driver was to increase our maturity and to comply with the Network and Information System Security (NIS) directive because of our .lu top-level domain registry operation and management activities. But we immediately saw the opportunity to engage our IT network, hosting and security services for the research and education community in Luxembourg. We had no doubt this would confirm and be an acknowledgement of our good practice. So, we started the journey with an analysis of our existing processes and concluded, as we expected, with high-quality services, but were missing documentation.
In around 18 months, we finally saw the light at the end of the ISO-tunnel with a certificate on the wall. During that time, 30 policies, a multitude of new processes and procedures implemented and of course documented. This might not seem that huge, but the amount of work is not to be underestimated. Between the preparation, the regular meetings, the involvement of all teams, the analyses, the reconsiderations and hot discussions, the writings, and rewritings, to name just some steps, time flies as the pile of files grows considerably. But it is worth the journey for anyone willing to have a better and clearer view of its business.
COVID-19, the unsuccessful troublemaker
To make things a bit more difficult, I had the bad luck to start the process… during the COVID-19 pandemic. This was an additional change, which I consider the hardest. Our regular weekly meetings rapidly turned to remote ones when we were all starting to learn how to evolve and work together through such a work re-organisation. That was kind of two challenges in one. But even on that suspended time, federating people and accessing the existing knowledge was quite easy as people were motivated to contribute. Maybe, at the end, we had the right timing… Today these weekly digital meetings have been replaced by warm monthly morning coffee and croissants meetings.
A questioning from the inside
With Restena’s CEO, we immediately took the decision to actively include all the team leaders in the certification process. And I am convinced that achieving the certification process on our own rather than simply buying an external service, and the freedom it gave us, were the key for the acceptance and full inclusion of all staff members in the process, not only the project team members.
We wanted that processes and policies look genuine, rethought them with ‘a view from the inside’, and most importantly traceable. All team leaders were asked to write and (re)think their own processes. They included their whole teams in the writing and implementation, a real asset for team engagement. We are certain that it has been an advantage not only for Restena, but for each team. It was the occasion to investigate deeper in our organisation, (re)discover the processes in place and know our business even more. This was also the perfect time to carry out some cleaning in our organisation at all levels of the hierarchy.
This intensive exercise concretely allowed us to simplify and document all our existing verbal procedures. It has been such a great exercise to identify inconsistencies and get the teams working better together.
Help of a neutral view
While establishing the ISMS from the inside, I really appreciated the neutral vision of the external perspective given by the certification auditor. His judgement – without any bias – has been a real asset for planning our maturity. Every team, every situation, every process, every policy was examined with the same level of attention. And it is really satisfying to have been able to combine the knowledge of all the employees and to have the ISMS and all related efforts approved by a fair and impartial eye.
Breathing a new team spirit
It goes without saying that the implementation of the ISMS could not have been possible without the participation of all of my colleagues, not only the project team. I would like to thank all of them for that. I tried to do my best to inform, include and explain to all members of staff, the planning, progress and achieved milestones in a transparent manner on a regular basis. For me that was crucial, as the strongest chain is only as strong as its weakest member. Staff members will not only have to read the results, but they will also have to apply them, therefore they have been a source of information you do not suspect first. Implementing and keeping an ISO/27001 certification up and running is kind of breathing a new team spirit.
Now that we have implemented our ISMS there is no time to rest on our laurels as a lot of work remains. My colleagues can count on me to meet the deadlines and keep them informed. For sure, the pace has slowed down since the certification, but keeping the certification and improving our maturity is a new challenge we cannot fail.
About the author
Cynthia Wagner holds a PhD in computer science from the University of Luxembourg, where she studied the effects on network monitoring and security by applying different data mining techniques on flow measurements. In 2012 she joined the Restena Foundation as representative for its Computer Security Incident Response Team (CSIRT). Since then, she has been holding the position of CISO.
Besides her daily duties of managing security, Cynthia is currently co-chairing the CENTR (Council of European National Top-Level Domain Registries) Research and Developments Working group, is teaching in cybersecurity in a Luxembourgish high-school and is the co-founder of the CyberDay.lu and Data Privacy Day conferences for research and education in Luxembourg.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022