This month we talk to Paul Songaila, owner of Twin Systems about why he’s been unusually quiet for the past six weeks.
So, what have you been working on?
Getting our ISO 27001 certification was a game changer for the company and as the initial process took over nine months and involved hard work and commitment from every single member of the team, it’s vital that we maintain compliance and we’ve just had a renewal audit.
What’s ISO 27001?
An ISO certified company has higher standards for their information security mechanisms than other businesses and are required to produce a set of Information Security Management Systems (ISMS) to prove compliance with the ISO standards as well as developing a culture of excellent care.
ISO 27001 is simply the global gold standard for effective information management.
And it took you nine months?
For us, yes, it took that long but the implementation process depends on the size, scale, scope, and complexity of the organisation’s management system but I believe that most SMEs will take between six months and a year.
Give me the headlines please.
It’s a really comprehensive multi-layered checklist which covers:
Senior management commitment
Crystal clear definition of strategies
Resources and competences
Documenting the information
Tracking the performance
There are six stages of the certification process and….
What are the six stages?
Produce your project plan.
Define the scope of your ISMS.
Perform risk assessment and gap analysis.
Implement policies and controls.
Deliver employee training.
Document and collect evidence.
What’s so good about ISO 27001?
As it is recognised internationally, having – and keeping – the ISO 27001 certification impacts not just the management of information but on our company as a whole. In order to become certified, it was necessary for every department at Twin to immerse in the scope of the ISO standard and begin the process of adapting our structure for the greater good.
When did you first get certified?
Back in 2016.
Was it really that difficult to get?
It’s not difficult as such, in principle it’s just maintaining really good information security. Like, really good. If you are already practice that, the ISO certification merely helps you embed it
and improve it over time.
So how do you make sure you stay compliant?
Live it every day, it not just a folder on a shelf. We religiously adhere to, review, and monitor our compliance controls, complete the awareness standards, and conduct the annual audit….
that’s what I’ve been focusing on recently.
How often do you get checked?
Certification renewal is required every three years and surveillance audits are every year; if you let it lapse it becomes invalid and worthless and all our hard work will have gone to waste.
Can you fail an ISO 27001 audit?
You sure can and if you do you could risk your hard-won certified status but we try not to see the auditors as the enemy, they are our allies; external audits reveal non-conformances that we can address quickly and they sometimes identify an issue with a quality management system that we are unaware of.
What are the real business benefits of Twin having ISO 27001?
We are demonstrating to clients the extra taken steps we have taken to protect their data, we avoid potentially costly security breaches, and we have won new business from new markets as the certification is a hallmark of excellence in security and compliance.
So, how did you do in the audit?
I’m delighted to say that we aced it.
Good for you, what’s next on your To Do list?
This month I am working with a number of progressive accountants, helping them get their Cyber Essentials accreditation; it’s a government backed scheme designed to protect organisations against 80% of cyber-attacks, reducing the risk of business disruption and downtime.
We look forward to hearing more about that next month.