Are you a cloud-based service looking into getting ISO-27001 certification? Are you wondering about the process, the benefits, and whether it\u2019s worth it?<\/p>\n
There are a lot of articles about ISO-27001 written by security and compliance consultancy firms, but there\u2019s not much out there about what it\u2019s actually like from the perspective of an organisation going through the process.<\/p>\n
This was something we thought was lacking when we were doing our research, so we thought \u2013 why don\u2019t we share our first-hand account?<\/p>\n
This blog post addresses some of the big questions we had before making a decision.<\/p>\n
After completing our GDPR compliance requirements prior to its implementation in May 2018 we decided to pursue ISO-27001 certification.<\/p>\n
We realised that in an ever-evolving security landscape, our customers were becoming more and more stringent in their procurement process. With major security breaches such as the Dropbox incident in 2016 (which led to the leaking of 68 million user passwords) and the iCloud leak of more than 500 private celebrity photos in 2014, organisations are much more aware of the security risks of using cloud-based services.<\/p>\n
Prospective customers were beginning to ask us detailed and specific questions about our security management processes. One question that kept coming up was \u201cAre you ISO 27001-certified?\u201d We knew many of our competitors were attaining SOC 2, but direct customer feedback was telling us that ISO-27001 was more important for our particular service and market niche: we serve many international enterprises, and ISO is more globally applicable than SOC 2. This, of course, is something that your organisation needs to weigh up.<\/p>\n
We found it really difficult to find an answer to this online \u2013 and now it\u2019s very clear why. It really does completely depend on your organisation. We had read everything from a couple of months to more than a year. It took us 18 months.<\/p>\n
There were a few factors that stretched the process out for us:<\/b><\/p>\n ISO 27001 is very resource hungry on your teams, and when you are trying to focus on growth, ISO can seem like a distraction. But it is not. It is an essential part of our DNA and creates opportunities for growth in your people, your culture, and your customer footprint. \u2013 Darren Whitaker-Barnett,<\/b> CEO<\/p>\n For us, becoming ISO 27001-certified was absolutely worth it. Even despite the fact that we had contracts that were contingent upon our eventual certification, this was a sound business decision for so many reasons.<\/p>\n This process has been great for building customer confidence. And it lowers the barriers to sale when we are interacting with potential customers. For many of them, it\u2019s a must. And for the others, it\u2019s a huge bonus.<\/p><\/blockquote>\n \u2013 Andrew Thompson,<\/b> Chief Security Officer<\/p>\n Business benefits for us include\u2026<\/b><\/p>\n Being ISO 27001-certified allows us to speak confidently about our security practices because we know we\u2019re following international best practice. That\u2019s the best value you can possibly offer from a security perspective.<\/p><\/blockquote>\n \u2013 Tom Peck,<\/b> Chief Technology Officer<\/p>\n We engaged Axenic, a security consultancy agency, to assess our current state of security, conduct internal audits and assist us on the path to certification (getting us ready for external audit and assessment \u2013 which was ultimately conducted by a third party auditor from\u00a0BSI)<\/a>.<\/p>\n It was the right decision to engage a security and compliance consultant. We couldn\u2019t have done this without Lisa [from Axenic].<\/p><\/blockquote>\n \u2013 Tom Peck,<\/b> Chief Technology Officer<\/p>\n Firstly,\u00a0Axenic\u00a0<\/a>conducted a gap analysis using the Framework in conjunction with Annex A of ISO\/IEC 27001 to create a Current Profile. As we mentioned earlier, we decided to implement everything in Annex A \u2013 even things that were not risks to our business\/security processes \u2013 this was a business decision to follow best practice.<\/p>\n After this, we conducted a risk assessment. This report identified which controls were there and did not need improvement, which controls were already there but did need improvement, and which controls needed to be implemented from scratch. These are \u201crisks\u201d and are categorised as either low, moderate or critical.<\/p>\n Originally, we identified 35 risks. We achieved certification with only 7 areas of concern (though none enough to be a nonconformity).<\/p>\n The process was not complicated, but we certainly had no idea how extensive or time-consuming it would be. \u2013 Andrew Thompson,<\/b> Chief Security Officer<\/p>\n ISO-27001 requires consistent management and maintenance. We\u2019ve seen it said that ISO is a lifestyle, and that\u2019s definitely true!<\/p>\n Retention of ISO 27001 certification includes\u2026<\/b><\/p>\n Consider ISO-27001\u2026<\/b><\/p>\n However\u2026<\/b><\/p>\n ISO certification has created a \u2018security first\u2019 mentality in our office culture; this is an absolute must-have when dealing with customer information.<\/p><\/blockquote>\n \u2013 Darren Whitaker-Barnett,<\/b> CEO<\/p>\n Make sure you\u2019ve got the resources to get through it because it\u2019s not something you can go into half-heartedly. For example, sometimes it will make sense to bring in external experts.<\/p>\n Make sure you\u2019ve brought everyone in the company along on the journey. This requires a big culture shift, so make sure everyone understands why this is important and what the process is like.<\/p>\n Make sure you have enough people to fill the roles required by the standard. We have a relatively small leadership team so with all the roles necessary it might not have been possible to do it if the team were any smaller.<\/p>\n You need someone to really own and drive this process internally. For us, this was our CEO \u2013 he was committed to this and really gave it everything. It had his full attention over and above everything else.<\/p>\n We are not security or compliance consultancy. Everything outlined in this article is purely our own experience or opinion. Every organisation considering ISO-27001 should undertake their own research and gain professional advice before making a decision.<\/p>\n MRI OnLocation provides people presence management software that monitors the safe and secure movement of people through buildings and work sites. Our powerful, cloud-based solution unites visitor, contractor, employee, and emergency management, enabling organisations to secure their facilities and ensure the safety of every person on-site. Armed with a rich, unified source of people presence information, our users are empowered to make more strategic, data-driven decisions that mitigate risk, reduce overhead costs, and streamline operations. Compliant with ISO:27001 2013 for Information Security Management. MRI OnLocation serves organisations in 42 countries around the world and manages over 60 million secure movements through thousands of locations each year. For more information, visit MRI OnLocation.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Are you a cloud-based service looking into getting ISO-27001 certification? Are you wondering about the process, the benefits, and whether it\u2019s worth it?\n
\n<\/b><\/b><\/p><\/blockquote>\nIs ISO-27001 certification worth the time, energy and cost?<\/h2>\n
\n
What is the ISO-27001 certification process like?<\/h2>\n
\n<\/b><\/b><\/p><\/blockquote>\nWhat kind of ongoing maintenance does it require to keep ISO-27001 certification?<\/h2>\n
\n
Should you get ISO-27001 certified?\u00a0<\/i><\/h2>\n
\n
\n
Our advice to any organisation going through the certification process:<\/h2>\n
Disclaimer:<\/i><\/strong><\/h3>\n
About MRI OnLocation<\/h2>\n
\nThere are a lot of articles about ISO-27001 written by security and compliance consultancy firms…<\/p>\n","protected":false},"author":37,"featured_media":38070,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[9405],"tags":[],"class_list":["post-38596","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-onlocation"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.mrisoftware.com\/sg\/wp-json\/wp\/v2\/posts\/38596","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mrisoftware.com\/sg\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mrisoftware.com\/sg\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mrisoftware.com\/sg\/wp-json\/wp\/v2\/users\/37"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mrisoftware.com\/sg\/wp-json\/wp\/v2\/comments?post=38596"}],"version-history":[{"count":0,"href":"https:\/\/www.mrisoftware.com\/sg\/wp-json\/wp\/v2\/posts\/38596\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mrisoftware.com\/sg\/wp-json\/wp\/v2\/media\/38070"}],"wp:attachment":[{"href":"https:\/\/www.mrisoftware.com\/sg\/wp-json\/wp\/v2\/media?parent=38596"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mrisoftware.com\/sg\/wp-json\/wp\/v2\/categories?post=38596"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mrisoftware.com\/sg\/wp-json\/wp\/v2\/tags?post=38596"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}