Krescendo has achieved ISO27001:2013 certification. It has required commitment and hard work and we are proud of it.
ISO27001 is the international standard for an Information Security Management System (ISMS). Initial certification is carried out after a two-stage audit and is followed by annual re-certification for the next two years. After that, the full cycle is repeated from scratch.
In this post, I want to share the perspective of a small Software-as-a-Service (SaaS) company in pursuing the ISO27001 standard.
We took the decision to seek certification a year ago, conscious that the regulators were raising the bar in matters of control, risk, transparency and security throughout the financial industry.
Before then, we had relied on collaborating with our clients’ information risk departments, actively responding to all sorts of audit requests. With the increased frequency and heightened sensitivity of these audits, it became clear that we had to “industrialise” our processes.
Our first step was to benchmark ourselves against best practices within our sector. We did this by getting up to speed with the work of one of the leading independent organisations for security assurance within Cloud Computing: the not-for-profit Cloud Security Alliance (CSA). To promote transparency, the CSA encourages participant firms to publish, for free, a Security Disclosure within their CSA STAR Registry. This self-evaluation helped us refine the scope and coherence of previously disjointed processes.
As the next step, we decided to pursue ISO27001:2013 certification. We contacted well-recommended specialists, the BSI Group, and took the option to start with a one-day pre-certification audit. Given the costs involved in obtaining and maintaining the standard, this is something I would thoroughly recommend before embarking on Stage 1 (3 days) and Stage 2 (2.5 days).
Pre-certification gave us a measure of what we had already achieved and what was required to bridge the gaps. At that point, we had already invested several months in getting the fundamentals right: well-documented, comprehensive policies and procedures complemented by infrastructure and work-environment adjustments to tighten discipline, particularly in areas such as vendor management, physical & logical access and segregation of duties.
After a few more weeks of focused work, our efforts were crowned by achieving certification: the thorough preparation made it feel almost easy.
From pre-cert to the end of Stage 2 it took approximately 5 months. However, once attained, the standard requires measurement and continuous improvement (a robust system will make this easy: small incremental efforts rather than big “catch-up”, reactive exercises).
So, was this all worth the costs and efforts? …Yes:
– internally, we have significantly lowered key-man dependencies and created clearer boundaries within which employees can operate;
– externally, when dealing with client-driven audits, what might have taken 2-3 weeks now takes hours. Also, more and more new clients require evidence of an embedded Information Security Management System prior to signing a contract: it’s not just useful, it’s essential to getting the business.
In our experience, committing to an externally certified standard is an investment that leads to higher quality, improved client perception, less risk at a lower overall cost: well worth it.