SEP2 are accredited for information security to the International Standard
Background
SEP2 are cyber security specialists who have a proud tradition of compliance, awards and qualifications. SEP2 operates a strictly secure environment that is consistently audited internally and externally. Since its inception, SEP2 has been accredited to the ISO 27001 standard – an internationally recognised measure of security. This process needs regular re-certification, and SEP2 are proud to announce a successful re-certification in 2021.
What is the ISO 27001?
The International Organization for Standardisation, or ISO for short, is an independent organization that governs a multitude of international standards aimed at delivering best practices.
Of particular relevance to SEP2 is the ISO/ EIC 27001:2013 standard which covers information technology, security techniques and information security management systems. In short, ISO 27001 is the world’s leading standard for information security.
To answer the question ‘What is the ISO 27001?’, it is important to identify three aims:
To ensure confidentiality
The information security standard ensures that only authorised personnel will be able to access specific information.
To ensure data integrity
In order to ensure data integrity is maintained, the ability to change information is governed by a strict authorisation process
To optimise availability
The aforementioned authorised personnel must be able to access appropriate information when it is required.
The standard works by looking at the information security management system (ISMS) within a business. Since SEP2 are a cyber security specialist, there is a dual goal: Ensure that SEP2’s own ISMS is sound, and in doing so ensuring that the service and solutions they provide to their clients will also be best in class.
An ISMS is essentially a set of rules governing:
- The understanding of all stakeholders’ expectations of a company’s Information Security
- The risks that may be inherent around information and data
- A system for safeguarding and mitigating these risks, including:
- The implementation of these mitigation methods
- Objectives around what needs to be achieved
- Ongoing measurement of mitigation methods
- Ongoing improvement of the ISMS itself
However, no ISO process is a tick-box exercise. The process is holistic, highly rigorous, and encompasses the following business areas:
Organisational context
ISMS is not a one-size-fits-all solution. Every organisation is different, and the ISO27001 standard needs to ensure that the process has been adopted in a manner that is contextually effective.
Leadership
All management systems need to be sponsored from the top of the organisation, or else they will fail. The ISO27001 process interrogates the commitment of the management team and needs to be assured that roles and responsibilities around information security are correctly assigned.
Planning
An ISMS is not a quick fix. It needs to be synergistic with a company’s strategic goals and objectives which, in turn, must be effectively communicated across the organisation.
Support
The ISO27001 programme will unearth training and development needs. How will a company address these, and how will they be assessed? Can the company ensure that there are no skills gaps?
Evaluation
The 27001 standard mandates performance evaluation: Monitoring, measurement, reporting, analysis and ultimately evaluation of the ISMS.
Improvement
If the results of the audit indicate, as is likely, areas for improvement, how will these be addressed?
Furthermore, a culture of continuous improvement (C.I.) is essential to a successful ISMS. Threats do not stay the same; risks are constantly changing. As such, the standard can only be successfully attained if a company is able to evidence an ingrained C.I. culture.
The Process
Since the ISO process looks at knowledge, process, behaviours and audit, the 27001 standard not only judges the company’s security offer but in effect validates what it is that SEP2 stand for: Their claim to be “Tech-Driven and People-Powered”.
SEP2 achieved the ISO standard in the year the business was established, and they recognise the importance of regular recertification. Any ISO standard is only granted to companies that can evidence best-in-class standards. As such, the ISO process is a rigorous, cross-company process.
Whilst 27001 is perceived as an IT accreditation, the SEP2 view was that everyone in the company had to be integrated and invested in the process. One example of this was the Customer Relationship Management software (CRM) which is used by the sales team and which contains confidential client information. It is important that assets like this are identified and ownership is agreed upon.
SEP2 set up formal communications to explain the re-certification process and ensure that all staff were aware of their responsibilities. This gave SEP2 an opportunity to reaffirm why their tech and information security as a whole is so crucial in today’s world.
In fact, ISO27001 requires the creation of an Information Security Management committee that includes cross-company representation. This committee meets for a monthly scheduled meeting and follows a regimented agenda.
Achievement
SEP2 successfully achieved the re-certification, an achievement that was celebrated across the business.
SEP2 are keen to express the value that they believe has been added by the ISO process. This includes an increased user awareness by apprentices that have only recently started with the company.
SEP2 also have a heightened awareness of the importance of measurement, for example with risk analyses.
As SEP2 continues to grow its operation, it sees ISO registration as an important part of communicating its credibility to stakeholders. SEP2 maintains that ISO is crucial to the process and vendor verification, whilst simultaneously making the company more likely to convert new business.
Achieving ISO27001 goes alongside other accreditation achievements such as the government-backed Cyber Essentials scheme and their many vendor qualifications.