The Registry .si recently obtained the ISO27001 certificate – one of the most recognizable standards relating to information security, which provides requirements for the Information Security Management System (ISMS). The certificate attests that the Registry .si is proficient in protecting user data, reducing risk exposure and promoting a culture of information security. We talked with Barbara Povše Golob, Head of the Registry .si, who has presented the challenges we faced in the certification process.
1. Why is obtaining the ISO27001 certificate important for the Registry .si?
The Registry .si manages the top-level DNS infrastructure for .si, so the accessibility of the Slovenian domain space and therefore a large part of the Slovenian Internet depends on us. This is a great responsibility that we are well aware of, which is confirmed by more than 25 years of operation of .si without a single noteworthy incident.
2. Awareness about protecting information and information systems has been very strong at the Registry .si since the very beginning. What was the reason you started thinking about information security as head of your department?
National top-level domain registries for are special organizations in some ways. There is only one ccTLD register in each country. Therefore, there is no one around to share experiences with, look up to or learn from. Naturally, this led European national registries to form an international alliance almost 25 years ago – the organization CENTR, where we exchange experience and knowledge, seek technical, legal and other solutions in various working groups, and have CENTR represent our “voice” in EU and global organizations. Given the exceptional importance of information security for ccTLD registries, CENTR has also set up a working group in this field many years ago. It was here that I first encountered the ISO270001 standard. At that time, the Registry .si was even smaller and with only five employees, the standard seemed out of reach. But at the same time, I was keenly aware that we needed to approach protection of information and information systems in a more structured way.
3. However, awareness about the safety of information and information systems was not born only by joining the CENTR working group. Employees at the Registry .si have been aware of the importance of information security from the very beginning of the .si domain.
Of course, information security concerns did not start then. They have been installed in all systems since the very beginning of the Registry .si. Due to the small number of employees, however, everything was more informal and with insufficient documentation. In 2015, we decided it was time for a change. We turned to our “big brother” – the Dutch SIDN registry, which was already ISO27001 certified at the time. They responded kindly and together with Bert van Trinke, who led SIDN through all the pitfalls of certification, we devised a plan. The goal we set ourselves was not ISO certification, but improving information security.
4. And because we have set up information security procedures so well and structurally inserted them into our processes, the desire for ISO certification became more accessible… You mentioned Bert, who has always encouraged our team, that certification was achievable, albeit with hard work.
Bert visited us three times in 2016 for two to three days. At those visits, the entire team worked with Bert from morning to evening, learning from him, asking questions. And sometimes despaired :-). We got to know the ISO standard and tried to understand it. We divided the tasks and set deadlines for the implementation. We sometimes quarrelled over how to implement certain changes. The most important thing in the whole process was that as a small team we were all able to participate and we were all part of this important project. That meant the certificate was really “ours” and not just “theirs”.
5. How did those procedures, on the basis of which SIDN obtained the ISO27001 certificate, help the Registry .si? How was the documentation process carried out?
Bert didn’t serve us solutions on a silver platter, he wanted us to find them ourselves. He joked that his job was not to catch the fish for us, but to teach us how to fish. And he was right. We gradually documented existing procedures, changed (and re-documented) others, and introduced new ones. That was a lot of work. We listed all the processes, determined their trustees, established the Information Security Management System and the Unified Security Policy of the Registry, analysed risks in individual processes and introduced measures for their management, enacted business continuity plans, etc.
6. The decision to be certified was also accompanied by the feeling that we may not be ready yet, that we still have some inconsistencies that needed to be addressed…
At the end of 2019, we invited Bert to visit us again. He was enthusiastic about our progress (and his work :-)) and evaluated that we were “ripe” for certification. Nevertheless, it took us almost 2 years to actually obtain the ISO270001 certificate.
7. Certificates such as the ISO27001 certainly contribute to better visibility and increase stakeholders’ confidence in the organization. Sometimes it is good to be one step ahead of the competition and the legislators. What advantages has the certificate brought us?
In 2019, with the adoption of the Information Security Act, the Registry .si was recognized as a provider of essential services and thus became legally obliged to ensure information security. As you can imagine, at that time I was delighted that we were ready for certification. In just six months, we would certainly not be able to meet the new legal requirements imposed on essential service providers.
8. How extensive this project has been is reflected in the fact that we have been preparing for it since 2015. What kind of team does such a project require and why did it take us so many years before we decided to get certified?
It may sound unusual, but I am very pleased that we carried out this project so gradually. Because this way we did it for real, not just on paper. Because our entire team worked and grew with the project. Because we had to thoroughly rethink all procedures and work on improvements all the time. Because we learned a lot, we connected even more. Because ensuring information security is part of our everyday work. I am not only proud of this formal confirmation that we are doing a good job, I am especially proud of each and every member of our team, who added a stone into this complex mosaic.