From the outset of our company a lot of effort was deployed to make sure our confidential data and more importantly our customer data were kept safe. However we did not have a reliable and auditable way to demonstrate how good we are at it and how serious we are about it. In fact, it took us some time to realise that being able to do so was a big selling point and a statement about our professionalism that raised respect and credibility. ISO27001 Information Security Management certification was the answer. For a smaller organisation like ours this was not a small investment, but we knew that it had to be done and was vital to bring the company to the next level not only in terms of external perception but also in terms of internal organisation.
When we set out to get ISO27001 certified, I admit I was dreading the implementation work ahead. Most of the dread came from the fact that none of us had implemented any ISO compliance in our past lives. But hey! If you don’t know about something, then find someone who knows to help you, at least at first. A little bit of digging around on the internet, phone calls, networking events and pubs later, and we found the ideal partner to help us, IT Governance. I have to say they have been instrumental at getting us ready. From project planning, risk assessment to risk treatment through to documentation, implementation, training and internal audit, they had it all covered. When the independent body, Certification International came along for the official audit, we were all over-prepared and it all went like a breeze. We were successfully recommended for ISO27001 certification.
The mountain in fact turned out to be a little hill. And to get over that hill, just less than 4 months were necessary. We are now even thinking and planning about the next certification or compliance. HIPAA, NHS Information Governance, ISO9001? Bring it on!