CASE STUDY: Making ISO 27001 Simple
ISO 27001 is an international standard that describes best practice for an Information Security Management System (ISMS).
Information security protects your company’s information against the loss of:
- Confidentiality – “protected from unauthorised access”
- Integrity – “Information is accurate, up to date and complete”
- Availability – “information is accessible, especially when it’s needed most”
This is accomplished by identifying the strengths and weaknesses in how information is stored, accessed and kept.
An ISMS is a framework of policies and procedures that include all legal, physical and technical controls involved in in a company’s risk management framework. This is a structured process to identify potential threats to your company and defining a way to minimise the impact of them occurring. In turn, this can reduce the risks of a costly data breach and minimise associated brand and company damage.
Benefits of gaining ISO 27001 certification include:
- A management system to better manage security risks;
- Clarity when you, your employees, or anyone else is handling and sharing information;
- Better availability and access to information;
- Competitive advantage through assurance to new and existing customers;
- Helping your company meet Data Protection and GDPR requirements;
- Providing assurance to customers and suppliers when dealing with information and keeping it secure.
How CQR helped a global company achieve ISO 27001
CQR have helped a diverse range of companies achieve certification to ISO27001, both locally and internationally. Our clients range from small/medium independent businesses, to large multinational and global corporations.
Our client wanted to certify to the ISO27001 standard to demonstrate their safe and secure methods of handling sensitive information. As an information solutions company, and due to the services they provide, they were highly conscious of the information they hold (e.g. health data), the critical nature of it and its privacy. They felt certification was the best way to validate their level of commitment.
As a significant global company they wanted to narrow their ISMS to a critical division to begin with. This covered multiple countries and a large number of employees, but allowed them to focus on the areas where their own clients were driving them for clarification and reassurance on how they were using data.
We worked closely with the division, other departments, and the cyber security team to understand their requirements and needs.
After reviewing existing documentation, we held interviews and workshops with team leaders and management to identify what information they had, and classified it according to its value and sensitivity.
Once we understood what information was held and its value, we performed risk assessments to establish the threats to their information and the impact to the company if there was a breach or incident. Once we had the results of this, we then provided guidance and recommendations for improving their security and how to close these gaps. We developed a list of actions, some of which were as simple as updating policies and procedures, or creating new ones that didn’t exist yet.
On account of the information they handled, we further aligned the ISMS with controls for HIPAA (Health Insurance Portability and Accountability Act), ISO 27017 (information security controls for cloud services) and ISO 27018 (PII in public clouds).
The division’s reliance on other supporting functions and being a part of a much larger company meant that they had limited control over some processes. Shared services (e.g. IT and HR) were able to solve more complex solutions so we created Operation Level Agreements (OLA) internally to confirm who was responsible for which processes.
We made sure all employees within the division were told about the project from the start, and were kept up to date with our progress, and what was happening in the background. They didn’t need to know much about the ins and outs, but it gave them context for the implementation and how it could affect them.
Once most of the ISMS was in place, we helped design and deliver an on-going training and awareness program for everyone. This helped them to know what was required from them and how to comply with new policies and procedures.
We helped complete applications for certification bodies and created a breakdown of pricing, timing and effort involved for each. This helped them decide on who they wanted to use for the certification audit process. We were present during the external audits, providing guidance and feedback throughout.
The Outcome: Successful certification and assurance in their systems
The engagement and commitment from our client resulted in a successful implementation. They gained certification to the ISO 27001 standard in May 2020.
This is the first step in their journey for information security. They effectively demonstrated that they have developed a good, working management system and have taken on board the importance of managing information security, and how to handle data to protect it.
The ISMS will need to be managed and maintained, driving further maturity and ongoing continual improvement for ongoing audits in order to maintain certification.
At CQR, we aim to create an effective ISMS that integrates into “business as usual” activities. Our objective is to own as much of the “doing” while building the management system, as well as educating our clients during each step in the process. This ensures that ownership and skills are embedded within the business, so it can achieve a system that can both be understood and managed independently.
We want our clients to have confidence and assurance in their own systems and understand that the journey doesn’t need to be complicated or time consuming. If approached the right way with the right resources, ISO 27001 certification doesn’t need to be a lengthy or expensive process. It’s all about having the right resources: people, process and technology.