As Aspira turns 15 years old this year, we achieved ISO27001:2017 certification: the international standard for Information Security. The basic goal of ISO 27001 is to enable organisations to implement a framework to protect three aspects of information: Confidentiality, Integrity & Availability. In achieving this certification Aspira has demonstrated our commitment to having a systemic controlled approach to the management of information and protection of our data.
We have seen phenomenally sustained growth in our business over recent years and as a result, we have grown as an organisation in terms of staff, systems and complexity. With this growth, we recognised the need to continually review and enhance our practices, processes, and procedures. With a management team drawn from backgrounds in IT, Quality, and Project Management it was natural for us to consider leveraging an ISO standard as part of our improvement process.
When deciding on the ISO standard most appropriate for our business we explored and debated the merits of a number of standards. Ultimately, the drivers behind our decision were:
- Given our type of business, what do our clients expect?
In recent years, we have seen a marked increase in the expectations of both public and private clients, and potential clients, to demonstrate our ability to protect data. In light of the HSE security incident in 2021, there is now, understandably, a heightened sensitivity to the protection of systems and data. - What would actually improve our business?
Increased operational effectiveness is a strategic goal noted in our business strategy, so in choosing a standard we wanted to be sure it would align with that objective.
We were adamant that achieving an ISO accreditation should mean something tangible to our business and our clients, and have a positive impact on how we deliver our services. Based on our research we decided that achieving ISO 27001 would assist us to put in place standards and controls to secure our information, and demonstrate to our clients our commitment to security.
Once we decided to attain ISO 27001 we put together an internal project team and retained an external expert ISO consultant. We quickly realised that the scope of the ISMS is not just IT – it spans the entire business and impacts not only how we store and secure data, but how we work with and share information. To achieve our certification goal we then established an ‘ISMS Project’ with 2 key objectives:
- Develop and implement a centrally managed framework enabling us to manage, monitor, review, and improve our information security practices (an Information Security Management System)
- Achieve ISO27001 (Information Security Management) certification (certified by an external body)
As we worked through the project we began to make substantial changes to how we operate and manage our information, systems, and processes. We already had what could be considered strong controls in place (such as multi-factor authentication, secure data locations, strong information security policies, etc.). However delivering the ISMS project moved the focus and responsibility for the governance of Information Security from being seen as an IT operation activity to being a business-critical effort that receives constant attention, discussion, surveillance, and review.
Along the way to certification, we implemented new more effective controls such as automated document labeling, defined responsibilities for data owners, and developed an improved comprehensive and enhanced user awareness training programme. We also implemented a programme for continuous improvement with the objectives of delivering security project enhancements over the next 12 months.
We now have an ISMS that is fit for purpose and an ISO 27001 accreditation that will be regularly reviewed to ensure we continue to operate to this standard into the future. In achieving these objectives we have increased our security posture, systems and awareness and this will reduce the potential for security threats to impact our business. As our information security processes and procedures further mature, the importance of information security will continue to embed and become an integral part of the culture of the company.
Related Blogs
Emma Daly - ISMS/ISO Project Manager
Emma Daly is a senior project and change manager and was responsible for the delivery of Aspira’s ISMS & ISO project. Emma is also Aspira’s Head of Business Consulting and comes from a broad background of Project & Programme Delivery and PMO Consultancy in both the public and private sectors. Emma, and the Business Consulting team, partner with our clients to assist them fulfil their business needs both at strategic and operational levels.
The role of the Scrum Master
The Scrum Master role is a crucial one in Agile projects and is probably the best-known role thanks to its catchy title. The primary responsibility of the role is to
The Developer’s Role in Agile Projects
As an experienced Agile developer, I have had the opportunity to work on a variety of projects, both in Agile and waterfall environments. I have seen first-hand the benefits and
Project Management – Which Approach is Better?
The world is crazy busy and constantly evolving and so are the companies that we work for. Recently, companies are beginning to recognise the need for change when it comes
Differences in Running Public Sector vs Private Sector Projects
Both the public sector and private sector take on and successfully deliver large projects. Both sectors have equally smart people, but history is littered with individuals who were successful in
Achieving the Elusive Work Life Balance
Balancing our work and home life can be a real challenge, maybe even more so now in this post-pandemic world where many of us are working from home either on
The Benefits of RPA for a Business
Robotic Process Automation (RPA) is a technology that allows businesses to automate repetitive, mundane tasks that would otherwise be performed by humans. This technology is quickly gaining popularity as it
Tech Resourcing Services
Drawing on our expertise, our team can easily understand your requirements, cut through the jargon to bring clear and real prospective candidates to your door quickly, saving your team critical time to concentrate on real business needs. We pride ourselves on providing robust and agile, tailor-made services to effectively and efficiently meet the needs of each individual client, regardless of search requirements or location.
Our Managed Service: Resourcing identifies, selects, provisions, and manages the business, project, and technical IT resources to enable client project delivery. The service is provided using our technical expertise complimented with our expert resourcing capability to find the right resource for a client, then when placed our account management and team management functions ensure consistent performance to client needs.
With our Managed Service: Professional Services, Aspira takes responsibility for the delivery of the project, subject to agreement and signoff on specific deliverables with the client. We assign projects and where needed technical leads to manage the complete project process, owning project product delivery as well as project resourcing, all delivered in partnership with the client.