The creators of isology®

Anyone with a current ISO 27001:2013 certificate will be required to update and add certain elements in their existing Information Security Management System to ensure compliance to ISO 27001:2022 ahead of the October 2025 deadline.

Over the past few weeks, our mini-series has covered the fundamental changes to the Standard, along with tips on how to plan and Implement the required updates.

Join Mel this week as she explains the final few stages of an ISO 27001 transition, including the Internal Auditing and final preparation ahead of a Certification Body visit.

You’ll learn

• What needs to be audited?
• What do I need to do to prepare for the Certification Body visit?
• How can you get a free copy of ISO 27001:2022?

Resources

• Isologyhub
• ISO 27001 Transition Programme
• What you need to know to transition to ISO 27001:2022

In this episode, we talk about:

[00:44] Catch up on the last two episodes before listening to this one: What you need to know to transition to ISO 27001:2022 / What changes need to be Implemented to transition to ISO 27001:2022

[01:00] The last stages are all about gathering evidence of compliance against new and updated clauses and controls

[01:28] Make sure you plan your transition visit well in advance – If you leave it too late you may incur additional fees for more days or possibly even for a full certification if you miss the deadline.

[02:15] This process for transition is fairly consistent among Certification Bodies. It typically includes a Readiness Review and a transition visit where they will review evidence of compliance against the new controls.

[02:45] You can get a free copy if you sign up to our Transition Programme by April 1^st 2023)

[02:55] The last stage ahead of the transition visit is Internal Auditing. For those still planning their 2023 Internal Audits, you may wish to Implement the changes earlier in the year with a view to audit the changes in the later half of 2023. Ensure that you allow time to build evidence of compliance ahead of a transition visit. 

[03:45] If you need a bit of extra help, we include Internal Auditing within our transition programme – this will typically take 1 day.

[04:30] We can also support you during your transition visit – this could be on-line or on-site, which would depend on your Certification Bodies preference.

[05:20] Currently many Certification Bodies are suggesting a half day for the Readiness Review and another day for the transition. Some may choose to include this transition as a part of their annual Surveillance visit to help save on costs. If you have a Surveillance coming up, it’s worth getting in contact with them to see what they would recommend regarding your transition.  

[05:43] We advise that you also ask your Certification Body, when they will be UKAS accredited for ISO 27001:2022 – they may not be ready complete a transition visit until the later half of 2023.

[06:35] For our global listeners, your Certification Body will have an Accreditation Body that needs to verify their ability to conduct transition visits. For the UK this is UKAS, but it may differ for other countries.

[07:15] Don’t leave this until last minute! Based on previous experience with transitions, we’ve found companies that leave it until a few months before the deadline often can’t transition in time, and end up having to pay up for a full Stage 1 and 2 Assessment in order to keep their certification.

Grab a copy of our ISO 27001:2022 Guideline to the changes here:

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Data breaches have risen by 70% globally in Q3 of 2022, reinforcing the requirement for many to seek out Information Security solutions, especially those within the tech space.

Today we speak to Triaster, who have been in operation since 1994, providing businesses with process mapping and execution software to help drive business improvement.

Triaster’s Business Operations Manager, Jane Duncan, explains why they sought to implement ISO 27001, what challenges they faced and what they learned during their certification journey.

You’ll learn

• Who are Triaster?  
• Why Triaster Implemented ISO 27001
• What did they learn from their experience?
• What benefits have they seen as a result of Implementing ISO 27001?

Resources

• Triaster
• What is ISO 27001?
• Internal Auditing in plain English: A simple guide to super effective ISO Audits by Craig Cochran

In this episode, we talk about:

[00:54] Get to know Jane Duncan – Triaster’s Business Operations Manager who has recently started fostering dogs for a local charity.

[01:41] Who are Triaster? In short, they build software solutions that drive business improvement. They are a thought leader in their field and strive to create new software to meet business needs.

[02:25] What was the main driver for achieving ISO 27001? In 2020, they had certified to the Quality Standard, ISO 9001, and saw the many benefits that come with ISO certification. They saw ISO 27001 as both an opportunity and a necessity due to their work within the IT industry. ISO 27001 is seen as a mark of trust and provides a central framework to improve data security.  

[04:28] How long did It take to implement ISO 27001? They started looking at certification bodies and consultants to help with implementation in March 2021. The project overall lasted six months, with their assessments taking place in September and October of the same year. They also chose to recertify to ISO 9001 at the same time – this aligned both Standards under one Integrated Management System.  

[06:35] If you are considering implementing multiple ISO’s, it’s recommended to integrate them into a single Management System. This reduces the costs of implementation and is overall easier to maintain.

[07:17] What was the biggest gap identified in Triaster’s initial Gap Analysis? They had a lack of security policies in place in addition to a lack of processes that would have mitigated potential data security risks.   

[08:00] What was the biggest difference ISO 27001 made? They now do regular annual SWOT and PESTLE’s that are evaluated at Management Reviews. Risks identified during those reviews are added to a risk register and are used to develop the necessary objectives and controls needed to mitigate future risk.

[08:38] Other differences include the ability to track non-conformities, security risks and opportunities for improvement. They also have the confidence to prove their data security credentials to clients and have the required documentation to back it up. Tendering processes are also made easier by having ISO 27001 as it is often a requirement that can now be ticked off.

[09:25] Triaster use Infrastructure partner (who are also ISO 27001 certified) and can now hold them accountable for the services they provide. 

[09:50] Jane states that they are now a much better business following the Implementation of both ISO 9001 and ISO 27001 – continually improving their processes and scrutinising working practices.  

[10:54] All of the same security practices can be done by those who are homeworking at Triaster

[11:05] What has been the main lesson learned? The process if certification is a journey – it’s about continually improving and truly adopting the ethos of Information Security into every aspect of the business.  

[11:52] What are the main benefits? They hope their clients can see their efforts and have confidence in Triaster’s ability to keep their data secure. They also now have the processes in place that drive continual Improvement.

[12:33] Jane’s top tip: Document what you do as a business and look for gaps. Also, certification is a journey, and you shouldn’t stop striving to improve once you achieve certification. 

[13:00] What book would you recommend and why?  Internal Auditing in plain English: A simple guide to super effective ISO Audits by Craig Cochran

[14:15] Jane’s favorite quote: “No one is you, and that is your superpower”

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud |

Today we’re joined by Philip Bailey, Managed Services Director at PMC Retail, to talk about PMC’s experience with ISO 27001, from implementation to on-going maintenance.

PMC is a leading retail IT services and solutions provider, who recognised the growing need for formal Information Security certification. They succeeded in achieving certification to ISO 27001 in 2021, now almost a year down the line, we catch up with Phil to find out what they’ve learned, benefits of certification and some tips for those looking to implement ISO 27001.  

You’ll learn

• Who are PMC retail?
• How do PMC currently manage their ISO 27001 certification?
• How has the ISO Support Plan helped?
• What have they learned from implementing the standard?
• What are the benefits of implementing ISO 27001?
• ISO 27001 Top tips from Phil

Resources

• PMC Retail
• The magic of thinking big by David J. Schwartz
• Blackmores ISO Support

In this episode, we talk about:

[01:03] An interesting fact about Phil – He started in electronic engineering and was involved the build of a system designed to measure the mirrors used in a telescope that was carried on the Discovery shuttle!

[01:44] Who are PMC Retail?

[03:49] An example of one of PMC’s projects – Pulling together legacy systems, updating them to newer technologies while maintaining the legacy data.

[04:40] Learn about Phil’s role at PMC  

[05:45] PMC now certified to ISO 27001 – One of the most popular ISO’s globally in recent years. It’s becoming something of a mandatory requirement in the tech space when bidding for contracts

[06:31] How do PMC manage their ISO 27001 certification – Created a small team dedicated to the task of achieving certification – along with some help from us 😊 Following certification they onboarded a Compliance Governance Manager to keep up with Internal Audits and other ISO maintenance.

[08:25] How has the ISO Support plan helped? – Blackmores helped to implement the standard, and were very familiar with their system and way of working. Great to have a wealth of knowledge to tap into.

[09:00] PMC managed to implement the standard in just 6 months!  

[10:25] What did PMC learn from their experience? It wasn’t an easy task! Getting leadership commitment from the start made a huge difference.  

[11:50] The benefits PMC have experienced by implementing and maintaining ISO 27001: Being able to identify risks and put actions in place to mitigate them. Certification demonstrates a robust security infrastructure to third parties. Establishes more credibility to customers and partners. They are able to see a pathway for business growth, utilising the certification.

[14:30] ISO 27001 has helped to collate and bolster their existing Information Security structure – Having a library of resources, unified policies and procedures, company wide Objectives, and better understanding of measuring & managing risks.

[16:15] PMC ensure that staff complete annual training – as required by the Standard.

[17:10] Phil stresses that you can’t just stay still with Information Security is concerned, you need to be aware of new risks and make sure those in your business are also aware and know how to react.  

[18:00] Top tips from Phil: Get Leadership commitment early on. Build yourself a Management Team. Get help from an experienced external party. It’s not a walk in the park, and needs focus to achieve in a reasonable amount of time.

[19:42] Phil’s book recommendation: The magic of thinking big by David J. Schwartz.

[21:42] Phil’s favorite quote: “You’re never too old to set a new goal, or too old dream another dream”

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episode’s:

Stitcher | Spotify | YouTube | iTunes | Soundcloud

Did you know there were 80 identified security incidents, resulting in 34,908,053 compromised records in June 2022 alone!

Standards such as ISO 27001 can help you put measures in place to reduce risk and help set up procedures for data recovery. However, not as many adopt the guidance document ISO 27002 which provides further best practice advice to strengthen your IT Security.

ISO 27002 has recently been updated with 11 new controls that tackle recent emerging technology not covered in ISO 27001:2013.

Today, Mel explains ISO 27002 (Information security, cybersecurity and privacy protection – Information security controls), why it’s been updated and gives a high-level overview of the changes.

You’ll learn

• The purpose of ISO 27002
• How ISO 27002 works with ISO 27001
• Why ISO 27002 has been updated in 2022
• A basic overview of the changes to controls within ISO 27002:2022

Resources

• ISOlogy Hub
• Blackmores

In this episode, we talk about:

[00:30] A reminder to keep an eye out for future episodes on the upcoming updated version of ISO 27001:2022

[00:52] An introduction to the guidance document ISO 27002    

[02:02] Controls from the updated version of ISO 27002 can be implemented right now – not a requirement of ISO 27001 but recommended.   

[02:25] Why ISO 27002 has been updated – To bring it up-to-date with the latest technologies and simplification of controls

[03:15] What this means for your Information Security Management System

[03:50] We expect to see the new controls in ISO 27002 to be reflected in the updated version of ISO 27001 coming out later this year.

[4:27] Reminder: ISO 27002 is not a certifiable standard but it is best practice.

[05:00] ISO 27002 had its last major update in 2013 – think how much technology has changed since then!

[06:00] A summary of the changes to controls in ISO 27002

[07:25] New controls added to ISO 27002 highlight that the standard is more then just IT Security – A trait shared with ISO 27001  

[09:13] A summary of what categories the 11 new controls fall under   

Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud

Download our ISO 27002 changes Quick Guide here:

Dinesh Sharma, Director of Information Security Governance at Epiq, joins us on the ISO Show today. He discusses ISO 27001, his in-depth experience of this standard, how it’s working for Epiq, lessons learned, and how he manages this globally for Epiq Global.

We are so excited to interview Dinesh! He has a wealth of experience in terms of implementing frameworks like ISO 27001 and PCI DSS. He’s got plenty of experience ranging from developing information security policies, procedures, managing risk assessments, to delivering security training and awareness, and overseeing internal audits. He also has expert experience in security management and governance as his last 15 years focused on information security.

You’ll learn about:

• What Epiq does
• What it means to be Director of Information Security Governance
• Setting up a security team and managing it in terms of global responsibilities
• Continual improvement at Epiq
• Dispelling ISO 27001 myths
• What has worked well for Epiq in relation to ISO 27001

First and foremost, let’s dive into what Epiq is and does…

What does Epiq do?

Epiq, primarily based in the U.S, is a global professional services company, operating in approximately 25 countries including Germany, Belgium, India, London and so many more.

Epiq primarily provides support to the legal industry (so to law firms and the legal departments within large organisations). Their key service is around E-discovery. This is where there is potentially an investigation, or if two parties are about to enter a litigation. Some processes need to happen around data collection, data review, forensics, processing and document review. Epiq can make all of this so much more efficient and cost-effective for clients! Another core service Epiq provides is court reporting and transcription services. Other services include business transformation services, class-action and a range of other services.

Now, let’s find out more about Dinesh’s role…

Role at Epiq

Dinesh is part of the Global information security function at Epiq. They have a dedicated Global information security team to support the business.

Dinesh’s specific role is to lead the security governance side of things. This means that he manages and helps to define the information security policy set and Information Security Management System (ISMS) within Epiq. He also leads and coordinates the internal security assessments (part of which is internal ISMS audits as well as internal security audits across Epiq). He even reviews and provides input on contracts of clients and vendors around security clauses to ensure they align with the policies of Epiq. His team also delivers staff security awareness and training. Finally, his team manages security certifications including ISO 27001 (very relevant for today!).

So, let’s explore how a mature ISMS is managed…

How to go about setting up a security team and manage it in terms of global responsibilities?

At Epiq they have a dedicated team within their information security function for security operations. This team oversees the security toolset, they monitor the alerts from this toolset, such as their end-point detection and the logging and alerting around network security. This security operations team also takes the lead on defining their processes and handling any security incidents. So, they have a separate team for this specifically.

They also have a separate team for security architecture and security engineering. These teams work very closely with the business to make sure that security is considered and embedded within the projects and new offerings Epiq has as a business, as well as developing their tools. So, if Epiq is looking to implement a new security tool, this team will be very involved in looking at the different vendors that provide that offering, how that would be embedded and work within the infrastructure of Epiq, and the environments with which they serve their clients. So, Epiq has got the structure of sub-teams within the security function well defined!

Of course, sitting on top of this, Epiq is very fortunate to have some very experienced and very qualified leadership come into that team. The governance and operations side is managed by a gentleman called Jason. He has lots of experience and brings experience from other industries he’s worked with. He has a peer called Andrew, who looks after the engineering and architecture side. Epiq also has a new Chief Security Officer (CSO) who is very knowledgeable and savvy. He is doing a really good job of lifting the profile of not only security within the organisation, but also Epiq’s security functions. So, they are fortunate to have that leadership as well.

This is fantastic…when organisations are starting with implementing an ISMS, we always find that leadership commitment is so key! It’s great to hear that Epiq has got a mature management system yet are still continuing to focus on leadership commitment and bringing that in from various angles across the organisation as well.

In terms of the ISMS then…

Epiq has got many other security standards, so what we want to know is how their ISMS helps them to manage all their activities.

Well, looking at the requirements of ISO 27001 and setting up an ISMS that works, Dinesh thinks the most important thing it gives an organisation, regardless of what level of maturity it is at, is what the basic components and principles are in terms of a framework that you should be having in place or that you should consider having. This is because if you want to go for certification to ISO 27001, then you must have some of these things in place.

Dinesh very much sees this as a baseline!

Once, you establish that baseline and you’ve got the documentation, the processes which support the documents and the staff in place who can deliver on those processes. You then think…‘what can you do to increase the maturity’?

A big part of ISO 27001 is continual improvement. This is something Dinesh thinks is very important and puts a lot of focus on in his role. So, that’s all tied with the kind of internal security reviews that they do with the internal assessments that happen. But any feedback they get from the business, or any input or discussions they have with the business which can raise or flag something, e.g., as a potential block, are put onto their continual improvement register to work with the team or the business area. It might be something they have to work on themselves. The important thing is to always look out for these kinds of things. That’s why this is a key area of focus for Dinesh, in his role, as he thinks about what can improve each step of the ISMS in Epiq.

However, a lot of companies, once they’ve completed the assessment, think that’s the job done. But you can’t put your feet up just yet! This is only the beginning of the journey, which is why Dinesh identifies this as the baseline and the foundation to be used for continual improvement.

So, let’s look at what Epiq has implemented in relation to continual improvement, which has been above and beyond this baseline.

Epiq and continual improvement

Epis has implemented a Critical Asset Reviews. They identified their 15 most critical assets and instead of doing a full security review, they pick the 10 most important controls and other controls they think would deliver the highest level of security if they had it in place. So, they have done a very focused security review, based on risk and what they think their most important assets are. They dig deep into what are the risks and issues and by acting on these, it moves Epiq to another level.

Now, let’s move onto the part where we dispel myths around ISO standards!

Dispelling ISO 27001 myths

Dinesh believes that a good understanding of ISO 27001 is needed to know what the standard actually means. There is a difference between being aligned and being certified to ISO 27001. So, an independent review of your ISMS is really important as it shows you haven’t just picked and chosen which parts of the core standard you’re going to implement. It shows that you’ve had to do them all and have had that verified and tested. This would provide a level of assurance to your organisation and stakeholders. That’s why there is such a big difference between being aligned to the standard and being compliant with it.

Finally, I’m sure our audience would love to know…

What has worked well from an information security perspective in relation to ISO 27001?

Dinesh identifies the top-level management commitment within a business as the most crucial thing in any implementation of a standard. The business needs to understand the importance of information security. So, everyone needs to be aware of what the benefits are, what’s going on and what is important…having this conversation in your business really makes everything easier according to Dinesh. Epiq does this during their management reviews, where all four of their CEOs attend. They take the management review section of ISO 27001 and cover most of it in their quarterly meetings, and because this is visibly supported by their CEO, the business leaders reporting to the CEO and all their directors attend the management reviews as well. So, they all understand what’s going on, what’s important and what the key risks are from the security team’s perspective. Having this conversation just makes everything a lot easier according to Dinesh.

That’s it from Dinesh! We hope you enjoyed learning about Epiq’s journey…it’s inspirational to hear how Epiq is still developing, evolving, improving and still getting such fantastic commitment from the very top as well. It clearly demonstrates Epiq Global’s commitment to information security without a shadow of a doubt!

Contact details for Dinesh, if you have any enquires or would simply like to connect with him, you can get in contact using one of the ways below:

Email: dsharma@epiqglobal.co.uk

Website URL : Epiqglobal.com

LinkedIn handle: uk.linkedin.com/in/dineshcsharma

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Steve Mason is a Senior Consultant at Blackmores (UK) Ltd, and has a 100% success rate of supporting clients in achieving their ISO 9001 & ISO 27001 certifications on their first time.

With over 38 years of experience working with standards, Steve is incredibly knowledgeable about how to ensure companies get the best benefits when implementing new standards. Steve has never stopped advancing himself and continues to broaden his knowledge of new standards as they come into existence.

Today, Steve is back to discuss the new ISO 27017 (Information Security Controls for Cloud Services Standard), and why it is needed in addition to ISO 27001.

The current publication of ISO 27001 was released back in 2013 before cloud security was as big of a concern. Due to this, it does not adequately cover cloud security and hence the new standard ISO 27017 was released.

It is wise not to assume that the cloud is secure on its own, you need a provider that can demonstrate protection from hacking and guarantee you security.

There are 7 new controls that the standard brings –

• 6.3.1 Shared roles and responsibilities within a cloud computing environment
• 8.1.5 Removal of cloud service customer assets
• 9.5.1 Segregation in virtual computing environments
• 9.5.2 Virtual machine hardening
• 12.1.5 Administrator’s operational security
• 12.4.5 Monitoring of cloud services
• 13.1.4 Alignment of security management for virtual and physical networks

In this episode, Steve talks through some of these new controls, explains why they’re so important, and describes who can benefit from implementing this new standard.

You’ll learn

• How the standard works for both customers and providers.
• How ISO 27017 works as a unique selling point for businesses.
• The new controls and how it demonstrates security within the cloud.
• The benefits of adopting ISO 27017.
• How doing a gap analysis can help you to understand what cloud controls you already have in place.

Resources

• Blackmores

In this episode, we talk about:

[01:30] Why it’s important to have a standard for cloud security when we already have ISO 27001.

[02:46] The type of new controls and how they make the standard ‘cloud effective’.

[05:37] Some examples of the new controls.

[07:20] The prerequisites you need before implementing ISO 27017.

[08:37] The type of certificate you get with ISO 27017.

[10:22] How ISO 27017 can set companies apart from their competitors.

[11:03] What the future for ISO 27001 and ISO 27017 looks like.

[13:03] Advice for anyone thinking of implementing the standard.

[14:20] The main benefits there are from implementing ISO 27017.

If you need assistance with implementing ISO 27017 – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Steve Mason is a Senior Consultant at Blackmores (UK) Ltd, and has a 100% success rate of supporting clients in achieving their ISO9001 & ISO27001 certifications on their first time.

With over 38 years of experience working with standards, Steve is incredibly knowledgeable about how to ensure companies get the best benefits when implementing new standards. Steve has never stopped advancing himself and continues to broaden his knowledge of new standards as they come into existence.

Today, Steve is here to discuss ISO 27701 (Data Privacy), and why it’s so important to have so that you can prove you are GDPR compliant.

Since the new European Data Privacy Laws were introduced in May 2018 there have been over 150,000 personal data breaches within Europe, and the estimated total of GDPR fines total a little over 220 million euros.

Steve explains why GDPR is so important, how companies can avoid having data breaches, and what makes ISO 27701 different from previous standards.

You’ll learn

• How ISO 27701 can help companies demonstrate compliance with the requirements of GDPR.
• The ways ISO 27701 is different from ISO 27001 and why you need both standards.
• Who you can share PII with while still maintaining GDPR compliance.
• The correlations ISO 27701 has with ISO 27002.
• The potential impact implementing ISO 27702 can have.

Resources

• Blackmores

In this episode, we talk about:

[00:29] The big personal data breaches that have happened in the last 2 years, and the fines the companies received for not being compliant with the data protection laws.

[04:11] Why we have General Data Protection Regulations and what they are there to protect.

[06:36] What ISO 27701 is and how it helps companies be GDPR compliant.

[09:26] What PII (Personally Identifiable Information) is.

[11:41] An overview of ISO 27701 and what its main clauses are.

[14:04] What the two control sets of the standard are and what the difference between a data controller and a data processor is.

[17:20] How this standard helps companies know what needs to be put in place to be GDPR compliant.

[18:51] What makes ISO 27701 better than BS 10012 and why it will eventually completely replace it.

[22:14] What you already need in place to get ISO 27701 certified.

[24:10] The main benefits for companies implementing this standard has.

If you need assistance with implementing ISO 27701 – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

This episode we are joined by Mark Frudd, Managing Director and Founder of Security and Software Development at company TriplePs.

Mark’s here to tell us about the information security Standard ISO 27001. It’s brought his business countless benefits, allowed them to expand, and win government contracts. But it hasn’t been all easy sailing, the ISO has brought up some unique challenges for Mark to overcome. He explains what these are, how he tackled them, and what he wishes he knew before embarking on this journey…

Mark Frudd is the Managing Director and Founder of Security expert at software development company TriplePs. His work history revolves around the cybersecurity industry and delivering high profile public sector projects.

With a personal motto that IT and security doesn’t need to be expensive to be effective, Mark now focuses on providing affordable security, and software solutions, that meet the needs of both his clients and their end-users.

This episode, Mark is here to talk  about his experience implementing and managing the information security standard ISO 27001. After putting the ISO into place his company quickly expanded in size and Mark soon realized that the standard wasn’t being effectively implemented across his business.

He explains  why this was, what he did to rectify it, and how he could have avoided that happening in the first place.

In his own words ‘An ISO isn’t just for Christmas, it’s there every single day. You don’t just manage it, you adopt it.’

Mark explains  how having ISO 27001 helped expand his business and why it’s so important when trying to gain government contracts.

Finally, he explains how following this standard has shaped TriplePs business strategy and the different benefits that it has brought to his business…

Website: https://www.triplepsltd.com/

Twitter: https://twitter.com/TriplePsLtd

Linkedin: https://www.linkedin.com/company/triplepsltd

You’ll learn

• How Mark ended up implementing ISO 27001.
• Why ISO 27001 is important for maintaining a high information and security standard.
• The challenges involved in implementing ISO 27001.
• The benefits of following ISO 27001 and how it can help with expansion.
• How Mark manages ISO 27001 across his business.
• The importance ISO 27001 has when gaining government contracts.
• Why Mark decided to bring in a specialist to help implement the standard properly.

Resources

• Blackmores
• TriplePs

In this episode, we talk about:

[00:33] Who Mark Frudd is and how he ended up implementing ISO 27001.

[01:04] Who TriplePs are.

[01:51] Mark’s history working in Butlins, and what he learnt there.

[02:51] The type of security work TriplePs does.

[05:35] Why TriplePs decided to work with Blackmores when implementing the ISO 27001 procedure.

[07:22] What Mark’s role in TriplePs is and what his daily work life looks like.

[09:00] What the process for implementing ISO 27001 looked like.

[11:16] The importance of maintaining the right ISO standards when your company goes through rapid growth.

[13:18] The importance of adopting ISO’s into the heart of your businesses culture.

[15:52] How ISO 27001 has shaped TriplePs business strategy.

[18:57] The best way to implement a new ISO standard.

[20:51] The benefits involved with following the ISO 27001 standard.

[23:34] Mark’s favorite book.

[24:36] How ISO’s are a constant and not ‘Just for Christmas’.

[25:27] How to find out more about TriplePs.

If you need assistance with implementing ISO 27001 – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:Share the ISO Show on twitter or Linkedin

Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Yousif Rajah is the Head of Info Sec at dotdigital, a UK-based tech company that builds software service solutions to help customers engage with their clients. He coordinated most of the work involved with creating the ISO 27001 system, and recently has contributed to DotDigital becoming ISO 27001 certified.

« It sounds dauting and it feels daunting, but if you have a program in place already, chances are you’re quite a long way down the road already. » – Yousif Rajah

Picture this: Your digital marketing company is expanding, and you know you need to comply with data protection requirements, protect your reputation and demonstrate to customers that you have taken the steps to protect your business and their personal information. You’ve heard of the importance of becoming ISO 27001 certified but are unsure where to start. Join us today as our guest, Yousif Rajah, explains his company’s journey in becoming ISO 27001 certified, the changes he has noticed since implementing this ISO standard, and how you can get started on becoming certified today.

Website: https://dotdigital.com/contact-us/

You’ll learn

• What dotdigital is, what it provides, and what Yousif’s role is
• The company’s main driver behind implementing ISO 27001
• How long it to become ISO 27001 certified
• The scope of the ISO 27001 certification
• Gap analysis after becoming ISO 27001 certified, and reaching the standard
• The benefits and risks associated with expanding globally, while maintaining the ISO 27001 standard
• The benefits, in general, of implementing ISO 27001
• Tips of implementing ISO 27001

In this episode, we talk about:

[01:13] What does dotdigital do?

[02:14] Something not many people know about Yousif

[03:34] Main driver behind implementing ISO 27001

[04:57] The journey of becoming certified and going through the assessment 

[05:52] What is the scope of the certification?

[7:56] What was the biggest gap in the gap analysis?

[9:16] Reaching the gaps and the difference it made within dotdigital

[11:04] The benefits of certification on a global scope

[12:35] What Yousif has learned since implementing ISO 27001

[13:28] Main benefits to dotdigital in achieving certification

[15:30] If you could give any tips to someone implementing ISO 27001, what would they be?

[16:11] If you could gift a book to somebody what would it be and why?

[16:49] Favorite quote to leave listeners with 

Need assistance with ISO 27001? – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

A question we often get asked at internal audits is ‘Have I passed?’  The question is irrelevant, as we are auditing a sample of the business processes, not the individual, and in the real world, no business is perfect.  It is not about pass or fail.   Is just a ‘pass’ even good enough? It’s about making sure you’ve got robust systems in place to meet your clients’ requirements and reduce risk, so you don’t fail your clients’ or your business’ own high standards.

Embedding an information security system doesn’t happen overnight. It takes time to establish a system, so it becomes part of an organisation’s DNA.

In our final Podcast episode on how to implement ISO 27001, Steve Mason, Senior Consultant at Blackmores takes us through the last few months of an ISO 27001 project.  This stage generally takes three months because it is a UKAS requirement that the system is ‘established’ prior to the assessment.

It is helpful to audit all aspects of the ISMS before your assessment; however, you need to take a risk-based approach and align the audits with the organisation’s needs.

Steve Mason talks us through a typical internal audit and what to expect.  Although each auditor may have different styles, and each business is unique, so it can never be a tick box or one size fits all exercise. Each company will interpret the standard differently and assumptions cannot be made. 

A typical audit of Human Resources in relation to information security could take 45 minutes.  Questions could cover new employee screening, information security training records, and responsibilities, i.e. job descriptions.  In some cases, even looking at an example of your employees’ terms and conditions to see if the disciplinary section covers the scenario of a security breach made by an employee (which is one of the most common breaches, either accidental or intentional).

Avoiding ‘death by audit’

Although it is essential for internal audits to be completed prior to an assessment, Steve also recommends planning the audits over a three-year cycle to avoid ‘death by audit’ and align this with the period that the certificate is valid for (3 years from assessment)

Information Security Health Check

The final step is to ensure that top management are available for the Information Security Management Review Meeting.  The purpose of this meeting is to bring together expertise within the business on information security, ready for senior leaders to be informed on the ‘health’ of the business and make decisions, so improvements can be made.

ISO 27001 provides an agenda which needs to be covered at the meeting.  Some companies take the approach where all parties need to be involved for the duration, however, a more time efficient approach is to have the key players present, but then bring in the specific expertise as and when needed for a short period i.e. 10 – 15 minutes.  The Management Review Meeting shouldn’t be seen as an arduous task, but a useful exercise to review the effectives of the system i.e. security incident trends, What are IT monitoring? Is the monitoring analysed and effective? i.e. anti-virus, penetration tests. Have actions/non-conformances been addressed? and has this action been effective? By bringing together your organisation’s technical skills and data, you will have a thorough ‘Security Health Check’ so management can understand what needs to be done in order to try and prevent any damaging incidents and continue to empower a positive culture of security.

Join us on the Podcast to hear more about the final stages of an ISO 27001 project including the last, but not least clause – ‘Continual Improvement’ and how Steve uses the ‘5 Ys’ on root cause, to get to the root of a business’ problems.

Click HERE for further information on our ISO 27001 Steps to Success programme.

To help out the ISO Show:

• Share the ISO Show on twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and I read each one.

Premier Physical Healthcare is a subsidiary of Totally PLC and a leading provider of a wide range of healthcare services which include physiotherapy, podiatry and mobility assessments

Blackmores congratulate Premier Physical Healthcare’s retained certification at their first Continuing Assessment visit to ISO27001:2013 Information Security with no non-conformities.

Internationally recognized ISO/IEC 27001 is an excellent framework which helps organizations manage and protect their information assets so that they remain secure in confidentiality, integrity and availability. It helps you to continually review and refine the way you do this, not only for today, but also for the future. That’s how ISO/IEC 27001 protects your business, your reputation and adds value.

Certification body: BSI