ISO 27001 - Interview with our Information Security Officer, Jayne Mitchell

What is an ISO 27001 Certification?

ISO/IEC 27001:2013 (also known as ISO 27001) is the international standard for information security. It sets out the specification for an Information Security Management System (ISMS) and has worldwide recognition. The ISMS’s standard’s best-practice approach helps organisations manage their information security by addressing people, processes, and technology.

When did we embark on the ISO journey?

Our CEO, managers and Information Security Officer began the journey to acquire ISO 27001 certification in May 2018.

What prompted us?

During conversations with our customers, prospects and integration partners, the importance of ISO 27001 became apparent. We were doubly motivated as the future proofing of technology has always been at the forefront of our product development strategy. Having the ISO 27001 certification also offered a simpler route for ourselves and potential customers when it came to requests for proposals, as we were able to skip 180-200 information security questions saving us and our potential customers time in the procurement process.

How long did it take?

At MoveAssist we were eager to attain the credentials as quickly as possible. We began the process of gaining the accreditation in May 2018. We booked our Stage 1 assessment in November 2018, which was swiftly followed by the Stage 2 assessment in December 2018. We were delighted to formally receive our ISO 27001 certification on the 21st February 2019, after a total period of 10 months from start to finish.

Why is the ISO 27001 relevant to us?

The ISO 27001 is relevant to any global mobility technology solution because of its inherent need to capture personal information of employees such as salaries and passport details and much other personal information relating to the employee and their families. To our clients the certification provides demonstrable assurance regarding the security of information. To us, as a company, it assists with our future growth, ensuring we are always a few steps ahead and our solutions exceed market expectations.
There are many ISO standards. An example of other popular standards is:

What did we learn from it?

By pursuing the certification, we learned a lot along the way. Most notably we were given the opportunity to properly reflect on our internal practices and processes. With this reflection and the ISO 27001 guidance we were able to learn how we could best improve our internal governance.

How has it helped us?

First of all, peace of mind, knowing that our processes and products are meeting the highest security standards. By undertaking this investment, it also shows that we are actively investing in our fantastic people, our products and our processes. To our customers it provides a seal of approval by way of an independent expert assessment assuring that their data is adequately protected. When we first contemplated getting the certification, we could not have foreseen how lucky we were to have it completed well before the COVID-19 pandemic. Cyber-attacks have grown in intensity and strength over the course of the COVID-19 pandemic due to the steep increase in remote work practices. Remote working is covered within the ISO 27001 framework so you can be confident the same strict security measures apply.

What was the biggest challenge?

The biggest mountain we had to move to meet ISO standards was our tight timeframe which we had set ourselves 😉. We planned to be ready for audit within six months, which we proudly achieved!

What are the main steps to obtain an ISO 27001 Certification?

  1. Securing management commitment and budget
  2. Identifying interested parties and legal, regulatory, and contractual requirements
  3. Conducting a risk assessment
  4. Reviewing and implementing the required controls
  5. Developing internal competence to manage the project
  6. Developing the appropriate documentation
  7. Conducting staff awareness training
  8. Reporting (e.g., The Statement of Applicability and risk treatment plan)
  9. Continually measuring, monitoring, reviewing, and auditing the ISMS
  10. Implementing the necessary corrective and preventive actions

How long is our certification valid?

Once certified you cannot sit back and relax. It’s about always being a step ahead. We continue to be audited annually by BSI (The British Standards Institute).