{"id":4450,"date":"2014-11-17T20:08:59","date_gmt":"2014-11-17T20:08:59","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/014\/11\/17\/will-a-piece-of-paper-stop-the-attackers\/"},"modified":"2025-09-19T10:04:55","modified_gmt":"2025-09-19T10:04:55","slug":"will-a-piece-of-paper-stop-the-attackers","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/11\/17\/will-a-piece-of-paper-stop-the-attackers\/","title":{"rendered":"Will a piece of paper stop the attackers?"},"content":{"rendered":"<p>There are many skeptics who do not believe ISO 27001 can help protect their information and\/or information systems; one of their main arguments is: \u201cWriting a policy or a procedure surely won\u2019t help against someone who wants to steal your information.\u201d<\/p>\n<p>And I agree with them \u2013 simply writing a document won\u2019t help.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Why won\u2019t just a piece of paper help?<\/h2>\n<p>For instance, a hacker who has created malicious software and managed to bypass your firewall and anti-virus software doesn\u2019t care if you have a Network security policy or not.<\/p>\n<p>What\u2019s more, a disgruntled IT employee who wants to delete your data or wants to stop your servers won\u2019t mind your <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=access-control-policy\" target=\"_blank\" rel=\"noopener\">Access control policy<\/a>.<\/p>\n<p>All the same, a competitor who wants to steal your most precious know-how won\u2019t be very impressed with the Classification policy you invested a lot of time in writing.<\/p>\n<p>So really, just having the documents won\u2019t help you a lot. This is why it is important to distinguish between two types of companies: (a) those who use frameworks like ISO 27001 to produce nice documents (in a very short time) and get an even nicer certificate they can show off with; and (b) those who may or may not want the certificate, but who definitely want to improve security in their company.<\/p>\n<p>You can surely guess what the security will look like in (a) type of company, so let\u2019s not waste time on them; the rest of this article concerns the (b) companies.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Why bother with documentation?<\/h2>\n<p>We can take an international standard like <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>\u00a0to make a case about the documentation: it is true that ISO 27001 (like most of the other ISO standards) requires writing policies, procedures and plans, to maintain records, etc. (See also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/list-of-mandatory-documents-required-by-iso-27001-revision\/\" target=\"_blank\" rel=\"noopener noreferrer\">List of mandatory documents required by ISO 27001<\/a>.)<\/p>\n<p>But ISO 27001 does not ask you to write policies and procedures just to give the auditors something to do; this may come as a shock to you: writing documents really isn\u2019t the main point of ISO 27001. (See also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2011\/01\/24\/5-greatest-myths-about-iso-27001\/\">5 greatest myths about ISO 27001<\/a>.)<\/p>\n<p>The main point of documents is to help you change the behavior of your employees, to make the change in your processes. For example, you probably have very good firewalls in your company, but they may not be maintained and\/or configured properly; you may have a very secure system for authentication for your email, but if your employees receive the email on their smart phones with no protection whatsoever then this authentication system is not very useful. And there are dozens of such examples even for very small companies.<\/p>\n<p>So, let me draw the following conclusion: it is not the technology that is wrong in most of the companies; what\u2019s wrong is how this technology is used. This is why we need policies and procedures: they explain to everyone how to use the technology in a more secure way, and when everyone starts behaving differently, the level of security in your company will rise. (See also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2012\/10\/22\/4-reasons-why-iso-27001-is-useful-for-techies\/\">4 reasons why ISO 27001 is useful for techies<\/a>.)<\/p>\n<p>Of course, if you want your documents to change something, you have to make them really usable \u2013 see this article for explanation: <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/seven-steps-for-implementing-policies-and-procedures\/\" target=\"_blank\" rel=\"noopener noreferrer\">Seven steps for implementing policies and procedures<\/a>.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Why does the implementation take so long?<\/h2>\n<p>Very often, our new clients ask me: \u201cHow long will it take us to implement ISO 27001?\u201d, and for a small company of 50 employees I usually answer them something like \u201c6 to 8 months.\u201d \u201cWhy that long?\u201d they ask me. And then I have to explain that you can write all the documentation for ISO 27001 in just two weeks \u2013 simply fill in all the mandatory documents and you\u2019re done.<\/p>\n<p>But what takes time is for employees in your company to accept all those changes \u2013 if you sent 20 new policies and procedures at once to them, they will look at you with the greatest contempt (of course, we all know how that approach will end). So, if you want them to really accept all those changes, you have to create documents together with them, send them one by one, and conduct awareness and training in parallel to the publishing of documents. And that takes time \u2013 thus 6 to 8 months. See also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/iso-27001-implementation-checklist\/\" target=\"_blank\" rel=\"noopener\">ISO 27001 project \u2013 How to make it work<\/a>.<\/p>\n<p>So remember \u2013 policies and procedures are not an aim in itself. When you stop treating ISO 27001 as just a document-producing exercise, you will start getting a real benefit from this standard: your employees will start behaving more securely.<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To see how to distribute, store, preserve, control changes, retain and dispose of documents,<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a free trial<\/span><\/a><span class=\"notion-enable-hover\" data-token-index=\"2\">\u00a0<em>of Conformio, the leading ISO 27001 compliance software.<\/em><\/span><\/p>\n<p><!-- notionvc: ddc1ac13-bf76-4ecb-8a28-61d5a6614b6b --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>There are many skeptics who do not believe ISO 27001 can help protect their information and\/or information systems; one of their main arguments is: \u201cWriting a policy or a procedure surely won\u2019t help against someone who wants to steal your information.\u201d And I agree with them \u2013 simply writing a document won\u2019t help. Why won\u2019t &#8230;<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[379,381,492,501,504,507],"class_list":["post-4450","post","type-post","status-publish","format-standard","hentry","category-blog","tag-information-security","tag-iso-27001","tag-threats","tag-project-planning","tag-document-management","tag-mandatory-procedures"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4450","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4450"}],"version-history":[{"count":3,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4450\/revisions"}],"predecessor-version":[{"id":104585,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4450\/revisions\/104585"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}