In late 2019, we embarked on a project to make Sandfield completely ISO 27001 certified. At the time we didn’t know much about the journey — it’s likely you don’t know much about it either — so we’re sharing our experience and why we’ve become advocates of the process and the accreditation.
What is ISO 27001?
ISO 27001 is an international standard for managing information security. It outlines the requirements for implementing, maintaining, and improving an information security management system and the related processes.
Why we became certified
For us there were four main drivers :
- The ever growing risk of cyber security related attacks, whilst ISO 27001 does not address these in itself, it does provide excellent frameworks for minimising and treating these risks.
- In 30 years of successful business, we’ve worked with a lot of great customers and developed countless successful systems – we wanted to ensure best practices and putting these in place that protected our business and our customers’ systems.
- Growing interest from existing and prospective customers about our ISO 27001 status.
- We’d become a reasonably large organisation with well-organised teams, but we need more certainty that our entire team understood and was aware of our policies, especially when they changed.
How long did it take and what resources do you need to commit?
Our objective was to gain ISO 27001 certification for the entire Sandfield business – all teams and business units, including Crossfire, and cover all operations including cloud system management, managed services, software development processes, change control, incident management, HR policy, network, PCs, mobile devices, administration, physical security, and more.
Implementing the new policies involved every Sandfield employee and over 3000 collective hours of stimulating work... For context, in 2020 Sandfield had approximately 110 team members and the project took the better part of a year. Thankfully we chose great partners in ResilientIT, who are experienced in ISO certification projects and really accelerated our project through mentoring that kept us on track.
The audit was very thorough and involved most members of the ISMS Committee for a week. It went smoothly but there were plenty of probing questions on a full range information security areas and policies we had in place. Upon presenting our company wide antivirus security dashboard we were presented with a “sea of red” showing many devices with out of date virus definitions which was totally unexpected! A heart stopping moment for sure when in front of the auditor, but it turns out the cause was innocent enough as the definitions had only just been updated a few hours before.
How did we make it “stick”?
Before we started, we knew we needed an effective way to continuously manage our long list of ISO 27001 responsibilities, which included:
- Managing the ownership and revision of all our information assets.
- Auditing and managing suppliers.
- Identifying, classifying and regularly reviewing risks that may affect our business.
- Recording, managing, and responding to security threats, vulnerabilities, and incidents.
- Developing, versioning, and managing the change of all of our information security policies.
- Knowing our team members have read our policies and communicating when they need re-reading after a change.
- Having clear processes for handling our responsibilities under the NZ Privacy Act, GDPR, and other legal requirements.
- Ensuring our standards around secure development are reviewed, updated, and that our teams know where to find this information and have read it – especially when changing security requirements mean policies have been updated.
Though much of this information was available, it was siloed in intranet pages, Google Docs, lists, and various systems across the business.
That made a system capable of catering to all of the ISO 27001 standards but flexible enough to accommodate Sandfield’s specific requirements essential to implementing ISO 27001 and maintaining it throughout the organisation.
We chose ISMS.online to document and manage all of this information, and we continue to believe it was a wise choice. This system allows every policy, information asset, incident, and other items to have mandatory review dates and processes, track progress over time, link controls to risks, assign and measure risk profiles, and crucially, gives us visibility to the ISMS committee to ensure these requirements are being met.
Was it worth it?
It’s a big commitment that never stops – after successful certification in late December 2020, we’re still subject to yearly surveillance audits and full certification every 3 years.
These audits look for evidence that we’re following our policies, our teams know about them and understand them, and that we’re continuously improving and developing our policies.
Though it was a demanding process, we’re confident we have a great set of disciplines that manages, monitors, and reviews every factor that can affect information security.
Finally, yes, we can wholeheartedly say it has been worth it. Our investment in ISO 27001 improves our processes, demands continuous improvement, has an independent audit, and we believe gives our customers confidence that we can minimise information security issues. The time was right.