Hello from the Jumping Rivers team! Today, we’re taking a moment to chat about our recent achievement – becoming ISO certified.
What is ISO 27001 and Why Does It Matter?
ISO 27001 is an internationally recognised standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability. The standard outlines a framework that helps organisations identify and manage information security risks, implement appropriate controls, and continuously improve their security posture.
In today’s digitally driven world, where data breaches and cyberattacks are rampant, ISO 27001 offers a proactive approach to safeguarding sensitive information. It not only helps companies protect their own data but also builds trust with clients, partners, and stakeholders by demonstrating a commitment to maintaining robust information security practices.
Why We Chose the ISO Path
A couple of reasons nudged us towards these certifications:
- The clients we interact with often required them.
- It presented a brilliant opportunity for a bit of introspection. Were our current security practices up to scratch? We were keen to find out.
Data comes in all shapes and sizes. It can often be difficult to know where to start. Whatever your problem, Jumping Rivers can help.
Our Route to Certification
While it was an enlightening six months, it wasn’t without its hurdles. We had to sift through our security practices and ensure they were robust. The real task, however, was fostering a company-wide understanding that security isn’t just an IT department’s concern – it’s everyone’s business. We enlisted the help of a consultant who really knew their stuff. They guided us through the intricacies of the ISO standards, ensuring we were on the right track.
The Statement of Applicability: An Analogy
Personally, my favourite exercise in the standard is the Statement of Applicability (SoA). Think of the SoA in the context of building a house. Imagine you’re constructing a new home and you want it to be safe and secure for your family. You wouldn’t just randomly choose security measures; you’d assess the risks, identify potential vulnerabilities, and then decide which security features to include.
Similarly, the Statement of Applicability is like the blueprint for securing your organisation’s digital “house.” It’s a crucial component of ISO 27001 implementation. The SoA lists the specific controls from the ISO 27001 standard that your organisation has chosen to implement based on its unique risk profile. These controls act as the security measures that protect your sensitive information. Just as you wouldn’t install an alarm system in your home if you live in a crime-free neighbourhood, you wouldn’t implement certain controls if they aren’t relevant to your organisation’s operations and risks.
The SoA ensures that your information security efforts are targeted, effective, and aligned with your business objectives. It’s a dynamic document that evolves as your organisation grows, risks change, and technology advances. Just as you might update your home security system as new threats emerge, you’ll revise your Statement of Applicability to adapt to evolving cybersecurity challenges.
An example of a control we’ve excluded from our Statement of Applicability is “Cabling Security,” which pertains to safeguarding power and telecommunications cabling carrying data or supporting information services. This control emphasises protection against interception, interference, or damage to physical cabling infrastructure.
Our decision to exclude this control stems from our company’s primary mode of operation, which is rooted in remote work and cloud-based infrastructure. Given that we extensively leverage major cloud providers for our server architecture, our reliance on physical on-site cabling is significantly limited. The inherent nature of cloud-based systems means that the responsibility for cabling security largely falls under the purview of these established providers.
By creating a well-thought-out Statement of Applicability, you’re essentially tailoring your security “blueprint” to fit your organisation’s needs, making your ISO 27001 implementation not just a compliance exercise, but a strategic decision that aligns with your business goals and risk appetite.
The Post-Certification Landscape
Since waving our ISO certificates about:
- We’ve noticed more of a focus on processes across the company. They have become clearer and more streamlined. It’s less winging it, and more standardised and easy to follow instructions.
- The procurement process with clients? It’s been smoother sailing. That certification tends to be the seal of approval many are looking for.
Staying the Course
We’re not ones to become complacent. We have a risk treatment plan in place to implement over the coming year up to our next audit, as well as regular internal audits on the horizon, so we’re all set to keep our standards sky-high.