We’re ISO-27001 certified. Here’s why it was worth it

Are you a cloud-based service looking into getting ISO-27001 certification? Are you wondering about the process, the benefits, and whether it’s worth it?

There are a lot of articles about ISO-27001 written by security and compliance consultancy firms, but there’s not much out there about what it’s actually like from the perspective of an organisation going through the process.

This was something we thought was lacking when we were doing our research, so we thought – why don’t we share our first-hand account?

This blog post addresses some of the big questions we had before making a decision.

Why become ISO-27001 certified?

After completing our GDPR compliance requirements prior to its implementation in May 2018 we decided to pursue ISO-27001 certification.

We realised that in an ever-evolving security landscape, our customers were becoming more and more stringent in their procurement process. With major security breaches such as the Dropbox incident in 2016 (which led to the leaking of 68 million user passwords) and the iCloud leak of more than 500 private celebrity photos in 2014, organisations are much more aware of the security risks of using cloud-based services.

Prospective customers were beginning to ask us detailed and specific questions about our security management processes. One question that kept coming up was “Are you ISO 27001-certified?” We knew many of our competitors were attaining SOC 2, but direct customer feedback was telling us that ISO-27001 was more important for our particular service and market niche: we serve many international enterprises, and ISO is more globally applicable than SOC 2. This, of course, is something that your organisation needs to weigh up.

How long does it take to get ISO-27001 certified? 

We found it really difficult to find an answer to this online – and now it’s very clear why. It really does completely depend on your organisation. We had read everything from a couple of months to more than a year. It took us 18 months.

There were a few factors that stretched the process out for us:

• We are a relatively small team, and we did not have a dedicated person working on this full-time, so our IT and Security departments were working on ISO over and above BAU.
• We also decided to address and meet every control as outlined in Annex A of the standard, including things that were not necessarily risks for us. This was a decision to be completely thorough and follow best practice. Some organisations might not choose to do this.

ISO 27001 is very resource hungry on your teams, and when you are trying to focus on growth, ISO can seem like a distraction. But it is not. It is an essential part of our DNA and creates opportunities for growth in your people, your culture, and your customer footprint.

– Darren Whitaker-Barnett, CEO

Is ISO-27001 certification worth the time, energy and cost?

For us, becoming ISO 27001-certified was absolutely worth it. Even despite the fact that we had contracts that were contingent upon our eventual certification, this was a sound business decision for so many reasons.

This process has been great for building customer confidence. And it lowers the barriers to sale when we are interacting with potential customers. For many of them, it’s a must. And for the others, it’s a huge bonus.

– Andrew Thompson, Chief Security Officer

Business benefits for us include…

• Having a solid foundation to pursue other security certifications or attestations, such as SOC 2
• Establishing a strong security culture throughout our organisation
• Living and breathing our vision to become the most trusted people presence management system in the market
• Further establishing our brand as the top choice for enterprise-level organisations
• Potential cost savings in the long run that come from having a sound information security management system

Being ISO 27001-certified allows us to speak confidently about our security practices because we know we’re following international best practice. That’s the best value you can possibly offer from a security perspective.

– Tom Peck, Chief Technology Officer

What is the ISO-27001 certification process like?

We engaged Axenic, a security consultancy agency, to assess our current state of security, conduct internal audits and assist us on the path to certification (getting us ready for external audit and assessment – which was ultimately conducted by a third party auditor from BSI).

It was the right decision to engage a security and compliance consultant. We couldn’t have done this without Lisa [from Axenic].

– Tom Peck, Chief Technology Officer

Firstly, Axenic conducted a gap analysis using the Framework in conjunction with Annex A of ISO/IEC 27001 to create a Current Profile. As we mentioned earlier, we decided to implement everything in Annex A – even things that were not risks to our business/security processes – this was a business decision to follow best practice.

After this, we conducted a risk assessment. This report identified which controls were there and did not need improvement, which controls were already there but did need improvement, and which controls needed to be implemented from scratch. These are “risks” and are categorised as either low, moderate or critical.

Originally, we identified 35 risks. We achieved certification with only 7 areas of concern (though none enough to be a nonconformity).

The process was not complicated, but we certainly had no idea how extensive or time-consuming it would be.

– Andrew Thompson, Chief Security Officer

What kind of ongoing maintenance does it require to keep ISO-27001 certification?

ISO-27001 requires consistent management and maintenance. We’ve seen it said that ISO is a lifestyle, and that’s definitely true!

Retention of ISO 27001 certification includes…

• An annual surveillance audit makes sure you’re on track to managing all outstanding areas of concern
• A 3-yearly major re-audit will determine your eligibility to retain certification
• There will be other reports and documentation that requires even more regular review, bi-monthly etc.

Should you get ISO-27001 certified? 

Consider ISO-27001…

• If you want to serve customers in countries like Japan and India, it’s a legal requirement.
• If your customer base includes international organisations, ISO-27001 is more widely applicable globally than SOC 2.
• If your customers include large enterprises, it is good practice, and it removes a barrier when trying to get new customers over the line.

However…

• If you’re a small company (say, smaller than 20 people), consider that there are many roles that are required of staff over and above BAU, so a small team may not feasibly be able to complete or maintain ISO-27001.
• If you only service small businesses (who generally are less discerning than larger organisations) ISO-27001 certification is possibly not necessary.

ISO certification has created a ‘security first’ mentality in our office culture; this is an absolute must-have when dealing with customer information.

– Darren Whitaker-Barnett, CEO

Our advice to any organisation going through the certification process:

Make sure you’ve got the resources to get through it because it’s not something you can go into half-heartedly. For example, sometimes it will make sense to bring in external experts.

Make sure you’ve brought everyone in the company along on the journey. This requires a big culture shift, so make sure everyone understands why this is important and what the process is like.

Make sure you have enough people to fill the roles required by the standard. We have a relatively small leadership team so with all the roles necessary it might not have been possible to do it if the team were any smaller.

You need someone to really own and drive this process internally. For us, this was our CEO – he was committed to this and really gave it everything. It had his full attention over and above everything else.

Disclaimer:

We are not security or compliance consultancy. Everything outlined in this article is purely our own experience or opinion. Every organisation considering ISO-27001 should undertake their own research and gain professional advice before making a decision.

About MRI OnLocation

MRI OnLocation provides people presence management software that monitors the safe and secure movement of people through buildings and work sites. Our powerful, cloud-based solution unites visitor, contractor, employee, and emergency management, enabling organisations to secure their facilities and ensure the safety of every person on-site. Armed with a rich, unified source of people presence information, our users are empowered to make more strategic, data-driven decisions that mitigate risk, reduce overhead costs, and streamline operations. Compliant with ISO:27001 2013 for Information Security Management. MRI OnLocation serves organisations in 42 countries around the world and manages over 60 million secure movements through thousands of locations each year. For more information, visit MRI OnLocation.