What we learnt on our journey to ISO 27001 certification

What we learnt on our journey to ISO 27001 certification

As Aspira turns 15 years old this year, we achieved ISO27001:2017 certification: the international standard for Information Security. The basic goal of ISO 27001 is to enable organisations to implement a framework to protect three aspects of information: Confidentiality, Integrity & Availability. In achieving this certification Aspira has demonstrated our commitment to having a systemic controlled approach to the management of information and protection of our data.

We have seen phenomenally sustained growth in our business over recent years and as a result, we have grown as an organisation in terms of staff, systems and complexity. With this growth, we recognised the need to continually review and enhance our practices, processes, and procedures. With a management team drawn from backgrounds in IT, Quality, and Project Management it was natural for us to consider leveraging an ISO standard as part of our improvement process.

When deciding on the ISO standard most appropriate for our business we explored and debated the merits of a number of standards. Ultimately, the drivers behind our decision were:

  • Given our type of business, what do our clients expect?
    In recent years, we have seen a marked increase in the expectations of both public and private clients, and potential clients, to demonstrate our ability to protect data. In light of the HSE security incident in 2021, there is now, understandably, a heightened sensitivity to the protection of systems and data.
  • What would actually improve our business?
    Increased operational effectiveness is a strategic goal noted in our business strategy, so in choosing a standard we wanted to be sure it would align with that objective.

We were adamant that achieving an ISO accreditation should mean something tangible to our business and our clients, and have a positive impact on how we deliver our services. Based on our research we decided that achieving ISO 27001 would assist us to put in place standards and controls to secure our information, and demonstrate to our clients our commitment to security.

Once we decided to attain ISO 27001 we put together an internal project team and retained an external expert ISO consultant. We quickly realised that the scope of the ISMS is not just IT – it spans the entire business and impacts not only how we store and secure data, but how we work with and share information. To achieve our certification goal we then established an ‘ISMS Project’ with 2 key objectives:

  1. Develop and implement a centrally managed framework enabling us to manage, monitor, review, and improve our information security practices (an Information Security Management System)
  2. Achieve ISO27001 (Information Security Management) certification (certified by an external body)

As we worked through the project we began to make substantial changes to how we operate and manage our information, systems, and processes. We already had what could be considered strong controls in place (such as multi-factor authentication, secure data locations, strong information security policies, etc.). However delivering the ISMS project moved the focus and responsibility for the governance of Information Security from being seen as an IT operation activity to being a business-critical effort that receives constant attention, discussion, surveillance, and review.

Along the way to certification, we implemented new more effective controls such as automated document labeling, defined responsibilities for data owners, and developed an improved comprehensive and enhanced user awareness training programme. We also implemented a programme for continuous improvement with the objectives of delivering security project enhancements over the next 12 months.

We now have an ISMS that is fit for purpose and an ISO 27001 accreditation that will be regularly reviewed to ensure we continue to operate to this standard into the future. In achieving these objectives we have increased our security posture, systems and awareness and this will reduce the potential for security threats to impact our business. As our information security processes and procedures further mature, the importance of information security will continue to embed and become an integral part of the culture of the company.

LinkedIn
Twitter
Facebook

Related Blogs

Emma Daly - ISMS/ISO Project Manager

Emma Daly - ISMS/ISO Project Manager

Emma Daly is a senior project and change manager and was responsible for the delivery of Aspira’s ISMS & ISO project. Emma is also Aspira’s Head of Business Consulting and comes from a broad background of Project & Programme Delivery and PMO Consultancy in both the public and private sectors. Emma, and the Business Consulting team, partner with our clients to assist them fulfil their business needs both at strategic and operational levels.

The PMO Journey

Why do you need a PMO?

The Project Management Office provides guidance and standards in the execution of projects. They create tangible goals, aligned with the overall organisation’s vision, and ensure all targets are met. Aspira aid

Read More »
What is a PMO & Do I need one?

What is a PMO and do you need it?

What is a Project Management Office (PMO)? A Project Management Office (PMO) is an internal or external team or group that oversees Project Management initiatives and standards across an organisation.

Read More »

Tech Resourcing Services

Scroll to Top