ISO27001 and ISO27701
- Background
Our Cyber Essentials and IASME Governance certifications, held since 2015, had already helped shape our cyber security procedures and drive our own GDPR compliance, but Helen was keen we should remain at the forefront of cyber security and data protection best practice. Having sat on the committee for the development of ISO27701, Helen was determined that we would become one of the first UK companies to be certified to both ISO27001 and ISO27701 standards. - ClientRisk Evolves
- CategoryISO Standards
- TagsISO Standards
Company background
Following a career at IBM, Helen Barge founded Risk Evolves in 2015 to enable SMEs to gain the same competitive advantages as bigger businesses through compliance. Keen to practice what she preached, she guided Risk Evolves through its own IASME Governance and Cyber Essentials certification in 2015 and ISO9001 certification in 2018.
The need
By 2019, we’d developed into an award-winning consultancy with clients across the UK, many of them attracted by our expertise in data protection. Since GDPR had been introduced a year earlier, there had been an increased focus on data privacy in supply chains, leaving many businesses struggling to prove their compliance.
Our Cyber Essentials and IASME Governance certifications, held since 2015, had already helped shape our cyber security procedures and drive our own GDPR compliance, but Helen was keen we should remain at the forefront of cyber security and data protection best practice.
Having spent much of 2017 and 2018 supporting clients through the GDPR and being only too aware of the emergence of GDPR-like legislation around the globe, such as the Californian Consumer Privacy Act, Helen was sure that the new Privacy Information Management Standard (ISO27701) would follow in the footsteps of the Information Security Management Standard (ISO27001) by becoming a popular requirement in supply chain questionnaires.
Having sat on the committee for the development of ISO27701, Helen became determined that we would become one of the first UK companies to be certified to both standards. This would enable us to strengthen our own information and data security and share our experience with clients keen to achieve a competitive advantage by doing the same.
Helen comments, “Since founding Risk Evolves, I’ve been adamant that we’ll never ask a client to do something that we wouldn’t do ourselves. However often you support other businesses through certification, implementing standards in your own business gives you a different take on things. It makes you more understanding and flexible in your approach and very aware of some of the challenges of the implementation. I therefore wanted to develop our practical experience of these standards before our clients were asked for them.”
Integrating our systems
In order to fully reap the benefits of our new certifications, we needed to integrate them into our ISO9001 compliant Quality Management System. Although we’d already supported a number of clients through ISO27001, this would be the first time that we’d integrated the new standard alongside it.
Fortunately, some of the most popular ISO standards have been designed to operate in harmony as part of an Integrated Management System. Their shared structure (Annex SL) simplifies the integration process, improving efficiency and reducing costs.
Having benchmarked our existing processes, policies and procedures against the new standards, we developed an action plan to achieve full integration and compliance.
The stepping-stone to ISO27001
With a tight deadline in mind, our IASME Governance certification stood us in good stead. A popular alternative to ISO27001 for smaller businesses, it ensured that we already met 80% of ISO27001’s stringent requirements. Having supported businesses converting from IASME Governance to ISO27001 in the past, we knew exactly where to focus our attention…on implementing measurable objectives, scheduling regular internal audits and formal management reviews, and incorporating more ‘risk based’ controls.
Working to a new standard can be nerve-wracking for any business, but the pressure is really on when you’re a GDPR consultancy keen to be one of the first to hold a new and prestigious data privacy certification!
Again, our IASME Governance certification gave us a head-start thanks to its GDPR assessment. Helen explains, “Thanks to IASME Governance, many of our GDPR policies and procedures were already clearly documented and regularly reviewed. Having ISO9001 in place also helped as we leveraged the work already done on supplier management and risk management as well as already understanding how an integrated management system should run.”
Auditing the auditors
Helen took advantage of the quiet period between Christmas and New Year to get the ball rolling. Within 12 weeks, we were ready to be audited. Helen explains, “We were extremely fortunate. Not only had our ISO9001 auditors embraced ISO27701, unlike some other global certification bodies, but they scheduled our two-day ISO27001 audit and one-day ISO27701 audit the week before lockdown.
It’s never easy for us to be audited, after all, as experienced auditors ourselves, we’re normally on the other side of the desk! It’s harder still when the audit is for a new standard and everyone is finding their feet. However, we’ve worked with NQA for a number of years already and it was a privilege to be the first client they certified to ISO27701.”
“We are very proud of Risk Evolves’ recent certification achievement, becoming NQA’s first client for the newly published ISO 27701:2019 privacy information management standard. This demonstrates remarkable forward thinking and dedication to best practice within cyber security and risk management. I’d like to extend my huge congratulations to the whole team at Risk Evolves for their continued hard work and commitment to standards and the certification industry.”
