Understanding ISO 27001
More good news to share from Eazi Security
Last week eazi security achieved an ISO 27001 certification, and if that doesn’t mean much to you, this is the article that will answer all of your quaestions.
If you’re not yet a security expert here’s a little refresher. The ISO 27001 is a standard of best practices for managing information security. This information security grouping of best practices has a risk-based approach and is technology-agnostic. It includes requirements on compliance documents, management responsibilities, internal audits, continual improvements, corrective and preventive action — all designed to best protect a company’s information assets.
Companies can elect to conform to the standard by meeting requirements, but can also go further and become ISO 27001-certified. In this case, an independent auditor is tasked with conducting an audit to assess whether a company meets the requirements.
We sat down with Robert Oakley our DPO & Chief Information Security Officer at eazi security, to find out what this certification means for us and our clients.
Eazi security: Can you tell us more about the audit — how is it carried out and who hands out the certification?
Robert Oakley: The audit is just the final step of a long process! It all started in 2018 when we decided to have our security practices meet the requirements of an existing standard. We chose ISO/CEI 27001 because it is so widely recognized.
First, we defined the objectives and scope of the project with top management; then we worked with all teams to implement policies, procedures and practices that would meet our security objectives.
Once all these elements were in place, we conducted an internal audit to make sure we were heading in the right direction and that we were ready to meet the certification requirements.
The internal audit went very well, so without further ado, we called on an external auditor to carry out the official certification. That’s when things got real.
Eazi security: What do you mean, things got real?
Robert Oakley: Well, first the auditor made sure our policies and procedures were in line with the requirements. This phase was more about documenting things. Then they visited our various offices to ensure the policies and procedures were being effectively implemented.
Finally, the auditor submitted their recommendation to a recognized certification body, which, based on the review that was carried out, gave us the official certificate.
Eazi security: Now that we are certified, can you speak about the main challenges of achieving certification?
Robert Oakley: There’s no denying it, achieving the ISO 27001 certification is a huge undertaking that involves everyone on the team and impacts all company practices.
It was particularly impactful because we wanted to meet all 133 security requirements in the London office. Thankfully, the entire team was wholeheartedly committed to this project, which meant we were able to undergo the transformation very quickly.
Another challenge of this type of project is the involvement of management. Getting certified is an expensive undertaking with high direct costs (mainly the cost of the audit and certification) and also major indirect costs (purchasing security solutions, recruitment, securing offices, shifting processes…) so it’s important to have the full support of top management.
The security of our clients’ data being one of our main priorities, this certification process was a no-brainer for management, which was committed and supportive every step of the way.
Eazi security: What does this mean for clients?
Robert Oakley: As you know, deployment models are evolving. For companies, the digital landscape has shifted from on-premise systems and applications to complex environments that rest on multiple third-party SaaS solutions and external cloud computing services.
Therefore, security risks are increasingly becoming transferred, and today it’s more important than ever for companies to trust that their vendors and services are safe.
With this certification, our clients can feel even more confident because it proves that eazisecurity has an information security management system in place that adheres to an internationally recognized standard and that it has been deemed effective by an in-depth independent audit.
Also, keep in mind that our client brands regularly audit their vendors and that this certification helps to facilitate this type of assessment.
Life after Certification
Eazi security: Now that eazi security has achieved the ISO 27001 certification, what are the next steps?
Robert Oakley: Indeed, achieving this certification is terrific news but we can’t stop there! The very essence of the ISO 27001 is the continual improvement of systems, so getting certified is not the end of the road.
This is in fact part of the ISO 27001 certification framework, and the certification audit is followed by annual assessments to remain certified.
Eazi security: Can you share any examples of concrete actions you are putting in place?
Robert Oakley: We will continue to invest strongly in our security capabilities. For example, we have launched Marine Security to our sales portfolio and if you are a ship owner/manager or want to fully protect your super yacht from cyber security threats then you should be talking to us.
Contact David Clayden: email@example.com to understand more