ISO 27001 was developed by the International Standards Organisation to provide a standard framework for information security management. If your organisation achieves this accreditation, you can confidently say you are handling your B2B data in the best way possible.
At Cognism, we recently achieved ISO 27001 certification. We interviewed Megan Bennett, our Compliance Officer, who was instrumental in this superb achievement. Megan explained how Cognism did it, as well as how you can do it too.
Why ISO 27001?
Before we talk about how to achieve ISO 27001 certification, let’s look at why you would need it.
In today’s connected world, there is so much focus on information and cybersecurity. Barely a week goes by without a household name organisation becoming embroiled in a data security story. For scaling SaaS companies who have data at the heart of their business, information security isn’t just essential; it has to be seen to be essential.
Achieving ISO 27001 is also a sound commercial decision. Many customers now look for ISO-compliant companies when selecting SaaS products to try. Deals can be won or lost on the back of it!
Finally, ISO 27001 is an accreditation respected worldwide (although the USA has its own accreditation system).
Now, let’s look at the 5 steps to achieving ISO 27001.
1 – Choose the right consultant
To achieve ISO 27001 certification as quickly and smoothly as possible, it’s advisable to bring in an expert. This is especially true for scaling companies who have limited resources.
There are many ISO 27001 consultants with experience in helping companies get accreditation. They will partner with you and guide you through the process, providing a framework for you to improve your information security.
2 – Perform a gap analysis
A gap analysis is a comprehensive review where you analyse whether you are meeting your business requirements for software and information systems. You do this by assessing the current state of your business information systems, then identifying their future state. It’s looking at where you are now versus where you want to get to.
How do you bridge the gap between the two? You may need to put in new ways of working, or new standards. Perhaps you need to review and refresh your internal documentation.
3 – Implement the new processes
Now, it’s time to carry out the recommendations you produced in your gap analysis. This is not as easy as it sounds. It could involve changing your workplace culture. Some colleagues may struggle to adapt.
It’s crucial that you get buy-in from senior management to your proposals. It’s all about putting information security at the heart of your business.
4 – Perform test audits
Achieving ISO 27001 certification requires an audit from the ISO. It is essential that when the auditors come, you can provide them with all the information they need quickly and easily. Of course, it all has to be correct.
Megan recommends that in the 6 months leading up to the ISO audit, you perform test audits once a month. That’s 6 audits in total. Test audits under strict conditions will help you get the business ready for the real thing.
Test audits can be stressful. You will need all your people management skills. Don’t be afraid to challenge colleagues if they are doing things wrong, or if you can spot areas for improvement.
5 – Manage the audits
The ISO auditors will come into your business and sit with you, interview employees, ask questions and review your documents. The number of days that they visit you will vary depending on the size of your organisation, but for us, it was 4-5 hours across 3 days.
Make sure the audit goes smoothly by preparing everyone in the business for it. Send reminder emails before the audit highlighting important points and things to remember.
Don’t be too nervous though. In Megan’s experience, the auditors are not looking to mark you down. They are looking to see things that are going well.
And that’s it! If you follow our 5 steps, you’ll find securing ISO 27001 a painless process.
One more bonus tip from Megan – remember that once you pass ISO 27001, it doesn’t end there. The auditors will be back every year to check that everything is still in order. Keep your business prepared for this by conducting regular internal reviews and test audits, to make sure all conditions and new processes are being followed.
Cognism is proud to be an ISO 27001 certified company. To see our full press release, please click here.
For more information on Cognism and everything we do, follow us on: