Our journey to become an ISO27001 Information Security Management certified organisation started back in 2014, which was when our (at the time) small business was handed a stack of paperwork by a client, asking to complete it yesterday.
At that moment I had absolutely no idea what ISO27001 was for, why would I care about it, or why our client really cared about it. My main concern was the fact that ISO stood for International Organisation for Standardisation, which meant the acronym was totally wrong and someone should write them a letter about that. Further research determined that it was not an acronym but a derivative of the Greek word isos, meanings “equal”, which I thought frankly was delightful and someone should write them a letter about that.
Best practice in Information Security Management
With a gentle nudge from management (who were profoundly confused by my initial kick-off presentation), I was realigned back onto what I was meant to be doing – investigating how we as an organisation could ensure that our practices aligned with the international best practice in Information Security Management. Very quickly it became apparent that our Development Team had already aligned themselves with the security best practice outlined in the international guidelines and as such, we already had all the technical controls down.
This then had us asking as a business “why bother doing this at all?” Frankly, that is the question that you should ask when you engage in any implementation of a process, especially one that attracts annual external audits and a staggering amount of paperwork.
Why go to the effort of ISO27001 certification?
- Value in the certification itself– Our formal success in achieving certification summarises the effort, time and investment that we have placed into having a secure platform. That is an obvious advantage and certainly part of the reason as to why we continue to maintain and refine our information security management process.
- Consistent standard to adhere to when implementing our newest and latest technologies – Minimising the chances of security issues, poor code being deployed or our EVE Conversational AI chatbot potentially gaining sentience and attempting to overthrow humanity (note how I said minimise – never say never).
- Our client’s IT teams have a consistent benchmark to assess us against – We can help reduce some of that looming paperwork they are often forced to do when implementing new systems.
But as the owner of our ISO certification, my personal motivation is a little more aspirational: it is the proof of our business-wide commitment to the stewardship of the data and information in our care. I am proud to say that security is top of mind for all my team members – and they have never let us down. Now, this might not seem extraordinary, in fact, it may seem like it should be the default standard; however, with the IBM Cyber Security Intelligence Index saying that 95% of all successful cyber attacks are caused by human error, this may not be as common as we’d hope. As we roll into our 7th year of successful ISO27001 certification, I am confident in the value that our accreditation provides for our clients, and confirms that the innovative platforms we develop are safe, secure and fit for purpose.