- by Mike
How we achieved our ISO 27001 certification
As we all know, GDPR came into effect on 25 May 2018. And while the legislation was created 2 years earlier, it wasn’t something that was widely spoken about until around 6-8 months before the deadline. This is when we became aware of the impending new laws we would be required to comply with.
Once the initial (“what on earth is GDPR?”) questions had passed, we knuckled down, appointed a Data Protection Lead, and set about putting the measures in place we needed to ensure we were doing all we could to comply with the new legislation.
Data Protection has always been an integral part of everything we do at Reflect Digital, but inevitably there was additional work to be done to meet the new regulations. This came in a number of forms, from changes to processes, right through to changes to the software we produce.
So, after a few months of preparation and hard work, the day of GDPR finally arrived, and we had everything in place.
Chapter I - The Decision To Change
As a company that is always pushing to improve itself, although we had met the needs of GDPR, we wondered if there was more we could do to ensure the security and integrity of the data we hold (both our own and on behalf of our clients) are maintained at the highest level possible.
After some research, two options came up: Cyber Essentials and ISO27001. For those who don’t know, Cyber Essentials is a scheme backed by the government's National Cyber Security Centre. As the name suggests, it aims to put in place the bare minimum (hence essentials) in order to help secure your network and the computers within it. It can be a good first step as it gets your business thinking more about security and how it can affect the data you hold. However, we wanted something more comprehensive.
So we looked at the succinctly named ISO 27001. Whereas Cyber Essentials is a UK Government-backed scheme, the ISO (International Organization for Standardization) as the name suggests is an international standard.
And whilst every business is different, whether you’re a top law firm, an international bank, or a local web agency, although the measures you will have to put in place will differ to suit the individual business - if you hold an ISO certificate, you know you are meeting an internationally agreed standard.
Due to the scope of the standards (there are 114 controls across 14 clauses), we knew this is the level of structure we wanted to gain.
Chapter II - The Realisation
Some of the staff at Reflect Digital had been in previous companies that had achieved the ISO 27001 certification, so knew the scope of undertaking something like this. There were some concerns that we would be bogged down with bureaucratic documentation, and that it would restrict the speed at which we could deliver solutions to our clients. We were also aware that although we had met the requirements for GDPR, it had not been a straightforward task, in part because of the seemingly ambiguous information on how to achieve certain aspects.
So whilst we were confident we knew our business and were technically capable of gaining our certification, we decided we would need some external expertise to guide us through the world of ISO 27001. We turned to a company we had an existing relationship with (having built their website) - the fabulous 2SB.
Chapter III - The Dream Team
We had a goal to achieve our certification within 6 months, an ambitious task but one we were committed to. With that in mind, the first order of business was to create a dedicated team to manage the project.
Mike Steer - Head of Technical
As the head of the RD dev team, and the go-to person for all things technical it was an obvious choice for me to expand my role to cover all the technical aspects of the standards.
Danielle Ross-Davies - Head of projects
As our resident project manager, Danielle was an obvious choice with her fantastic organisation skills. She was instrumental in keeping us on track to meet our 6-month target, and whilst I looked after the technical side things, Danielle would be looking after everything else.
Jon Passmore - 2SB Consultant
We brought Jon in at the beginning as although we know our business, the regulatory side of ISO was new to us, so we needed a guide to help us navigate our way through the numerous controls laid out in the standards.
Chapter IV - The Implementation
We sat down with Jon and discussed what we do as a business, from marketing to design, account management and development. Armed with the knowledge of how our business operates both internally and externally, we set about going through the 114 (that’s right, 114!) controls detailed in the standards.
The first thing was to see what controls did not apply to us as a business. Sadly, out of the 114 controls, a meagre 2 were not relevant. Which meant we had a lot of work on our hands.
That’s not to say that we didn’t have things in place to deal with data security before, just that it was less structured. Different departments would store data on different platforms (Dropbox, Drive, iCloud, etc.), share information slightly differently, and essentially work securely, but without any central direction or alignment.
What we wanted to achieve was to standardise processes across the business, to align all employees in terms of technology and mindset.
This not only means that we are now far more consistent across the business, but it makes onboarding far easier. Previously when different departments had different systems in place, it could be confusing for new starters. Now we have a formal induction process which includes an ISO briefing, our teams are aligned with regards to how they address security and data in general.
We worked through the controls one by one, producing documentation where necessary, and implementing the controls and procedures we would be following as a company.
What we ended up with was a catalogue of documentation which covers areas such as Remote Working, Information Transfer, Access Control, etc. In each case, we break down how we deal with various tasks associated with information security. The documentation is aimed at providing detailed information to staff on how to maintain the standards we are putting in place.
In addition, we have created “Top 10” posters which are distributed around the office. These posters cover the most important aspects of information security, to keep it at the forefront of everyone’s mind.
Chapter V - The Audits
So after months of blood, sweat and tears to ensure we had done all we could to achieve the coveted ISO 27001, came the audits.
Our auditors (ISOQAR) split the audit into two stages, the first being a 2-day overview of the business and a general check that we covering all the bases. The second, a much more thorough affair which delved into the finer details of the solutions we had put in place.
A 2-day audit covering an overview of the business and ensuring we have all the main processes in place, ready for the full audit.
A month later the full 3-day audit took place, where the auditors go through the documentation we’ve created, quiz us on different scenarios and generally ensure that we are doing all we can to meet the comprehensive requirements of the ISO 27001 standards.
Once the audits had been completed and independently reviewed, we were awarded our full ISO 27001 certification.
So now we have achieved our certification we can relax, right? Wrong! So what’s next for us:
It’s important to know that although we’ve achieved our certification, it is an ongoing process. As our business grows and evolves, we need to ensure we consider information security in every aspect of what we do.
And although we have a great InfoSec team who will drive this forward, it is the responsibility of every single member of staff to keep up the good work, and always be alert to information security risks.
And you don’t have to take our word for it, we will be regularly audited by an accredited body to ensure standards are kept high, and that we meet all the requirements the standards set out.