ISO27001 certification provides organisations with a way to demonstrate the strength of their security practices to customers, prospects and partners – however, although a company may already be working to the correct standards, actually undertaking formal certification requires a considerable commitment of man hours across the business. Consequently, organisations need to get the timing right when submitting for formal certification: undertake this too lightly and you may very well end up having to repeat the process further down the line.
At Egress, we continually seek to benchmark our technologies and processes against the highest levels of certification and accreditation. With the publication of the updated ISO standard in September 2013, we decided the time was right to formally certify ourselves against a standard we had informally been working to for some time.
This meant we needed to prove that we manage key business risks effectively, and ensure that our existing policies and procedures were moved into a robust, international standard called an information security management system (ISMS). Our first step was to define the scope of our ISMS, before fleshing out our Security Policy and undertaking an extensive risk assessment across all key Egress business areas, culminating in a score that represented our current risk level.
What does ISO/IEC 2700:2013 involve?
Stepping up from the old 2005 standard, and among other improvements, the 2013 one puts more emphasis on measuring and evaluating how well your ISMS is performing. As we were documenting our ISMS afresh, we tackled this from the ground up to create a tailor-made management system.
By December 2013, we’d planned our ISMS design, assessed our information security risks and had started to align appropriate controls against them. Moving into 2014, we started to formally implement and operate these as company policies and processes, together with the system controls they applied to, such as Access Control, Incident Management, Business Continuity, Physical Security, HR and Technical Procedures – everything you would imagine you’d need to support an effective and efficient management system.
Throughout the process, these controls were reviewed and constantly evaluated to ensure they were fit for purpose. In reality, and despite us fully discussing our requirements and agreeing pragmatic resolutions to our business challenges, a few processes needed some fine tuning to make them work as well as we had originally anticipated. Most problem areas were identified internally, however BSI (our external auditors) highlighted a dwindling action list as we progressed through our pre-certification visit, Stage 1 and Stage 2 Audits.
What does this mean for Egress?
Although we had been working to the ISO standard for some time, since our formal ISO 27001 certification in June, we’ve already noticed how this creates a market differentiation due to prestige, image and external goodwill. Being ISO certified has also allowed us to meet contractual requirements more easily, as well as being a positive selling point for additional business. Internally, it’s given us an assurance of a set standard of information security throughout Egress, demonstrating to staff that we have total buy-in for this from the Egress Management Team.
ISO 27001 is also the foundation block for other accreditations and is now providing key evidence in our Pan Government Accreditation (PGA \ G-Cloud).
Even though we’re now formally certified, Egress will still have an external ‘continual assessment visit’ every year and will be audited for recertification every third year. By allowing independent reviews, Egress will provide ongoing assurance of our information security practices to both customers and partners.
In conclusion
ISO 27001 provides a holistic, risk-based approach to information security and compliance, providing confidence for clients, partners and internal staff. By undertaking formal certification of this new standard, Egress has successfully demonstrated its commitment to not only providing market-leading technology, but doing so by working efficiently and securely to ensure the service we provide to customers and partners is of the same equally high standard. Our ISMS is now fulfilling its role very effectively, such that it’s now part of Egress’ everyday business, helping us to identify and manage risks to key Egress information and systems assets in a cycle of continual improvement, raising the security awareness of all staff, together with monthly ISMS management meetings feeding into our existing management sessions.
This is the best way ISO 27001 can demonstrate its value to any business!