In July 2018, we received our ISO 27001 certificate, awarded to us by BSI. ISO 27001 provides the specification for an effective information security management system (ISMS) – a framework that offers a structured and comprehensive approach to managing information security risks.
Our certification does more than simply help us comply with laws, it helps protect our data in all forms including digital and paper-based as well as in the cloud. And as a cloud consultancy, it important that we practice what we preach. Our ISMS helps us increase our resilience to cyber-attacks, adapt to evolving security threats and reduce the costs associated with information security.
Our Journey So Far
One of the most important principles of the ISO methodology is a focus on continual improvement. As part of this, a BSI auditor will conduct a surveillance audit every year for 3 years before re-certification. The surveillance audit looks for positive evidence to verify that the elements and requirements of the certification are being addressed by our management system, and where applicable, identify potential areas for improvement.
At Wirehive we take culture very seriously so after our previous Information and Security Manager left in October 2018, the search for the right person left the position vacant until the end of April 2019.
April 2019, I started! I have been involved in implementing and maintaining business management systems for about four years now. Predominantly ISO 9001, 27001 and 14001. I have worked for a variety of organisations including an international leader and manufacturer of medical devices, an e-cigarette company and even a political party.
Although a varied background my approach has remained consistent - ensuring that any management system not only allows an organisation to meet statutory and regulatory requirements but fits the culture and needs of the business, whilst still upholding the principles that make ISO standards internationally recognised.
Our Next Steps
As you can imagine, the ISMS had stuttered a little in those six or so months. There was a backlog of activities relating to reviews and audits which hadn’t taken place. With three weeks to prepare my priority was to get to grips with the ISMS and establish where we were in comparison to where we needed to be.
To say I was pleasantly surprised by the adequacy of the already established ISMS would be an understatement. Comprehensive documentation, file structures and audit trails were just the start. There was a strong sense of awareness and ownership of responsibilities from everyone I spoke to. Anyone who has been involved in implementing a business management system will know that’s half the battle won.
I tried to take a forward-thinking approach to every task. If I was reading previous management review meeting notes, I would then plan a future management review. If I was looking at previous internal audits results, I would update the schedule for upcoming internal audits. This allowed me to create an action plan and set objectives which in-tern, enabled us to demonstrate a commitment to the ongoing vision and growth of our ISMS.
As well as planning ahead, it’s really important to be familiar with all the documentation which relate to the ISMS. Being aware of, and able to locate a certain policy or procedure could mean the difference between a non-conformity or not. If we can’t find a key procedure, then how can we demonstrate its effectiveness?
Prior to the audit we received a visit plan from BSI. This gave us an idea of what will be covered during the assessment and who will potentially need to be available to be interviewed by the auditor. Preparation really is essential to a successful audit.
The audit starts with an opening interview where the auditor and leadership team discuss any relevant changes to the organisation since the last assessment. This includes changes to the scope of the certification, departmental restructures and a discussion around the ongoing company strategy.
A specific clause in ISO 27001 (5.1), emphasises the importance of information security being supported, both visibly and materially, by top management. I was pleased to have the leadership team in the opening interview with me, discussing the importance of information security within Wirehive and demonstrating a top-level commitment to the ISMS. If it wasn’t obvious already, I knew then that I had found a brilliant company to work for.
The assessment was spread across two days. This involved gathering lots of information, reviewing risk registers, business continuity plans and maintenance schedules. It helped that the BSI auditor was genuinely friendly. It was clear that she was knowledgeable and very comprehensive in her approach.
The assessment really provided us with an opportunity to learn and find out where we can develop and improve our ISMS. After two longs days, lots of tea and furious note-taking on my part, the audit came to an end.
During an audit, there are three types of audit findings:
A major non-conformity is a non-fulfilment of a requirement.
A minor nonconformity is a nonconformity that does not affect the capability of the management system in achieving its intended results.
An opportunity for improvement is a statement made by the auditor during an assessment, which refers to a weakness or potential deficiency in a management system which if not improved, may lead to nonconformity in the future.
So, how did we do? Well, I’m pleased to say that we concluded our May 2019 audit with zero majors, one less minor nonconformity and five fewer opportunities for improvement than the previous year’s assessment.
It’s fair to say that I had to get to grips with Wirehive in such a short amount of time. Although this was a task of its own, it gave me the opportunity to work closely with my new colleagues to ensure that I had all the information I needed for a successful audit. The people at Wirehive are committed to their jobs and inherently security conscious, making this challenge and my job that much easier.
For a small business especially, the challenges involved in maintaining certification can at times be challenging. However, we have come away with some new objectives and targets and I’m genuinely excited to help develop and grow the ISMS over the next twelve months.