At Cutover, we recently underwent our first ISO 27001 (ISO/IEC 27001:2013) re-certification audit as part of the three year certification cycle. ISO 27001 is an internationally recognized standard that lays out the specifications for implementing and maintaining an Information Security Management System (ISMS), ensuring best security practice for people and processes. These audits are a great opportunity for Cutover to conduct a detailed review of our processes and demonstrate our continued maintenance and improvement of information security.
ISO 27001 certification is not a single event, but an ongoing process to ensure that Cutover complies with the requirements of the standard. For many organizations undergoing this process, or a similar kind of audit, it can be a big organizational burden with a lot of moving pieces to manage (at Cutover we have 168 different points of reference in our Statement of Applicability (SoA) that we have to provide process or evidence for!) so we wanted to share our experiences and what we’ve learned.
What is ISO 27001 trying to achieve?
The main aim of the ISO 27001 accreditation process is to show that you have implemented an effective ISMS, supported by policies and established processes for each control statement, which in turn, covers all aspects of information security at a company. You have to demonstrate that as a unit, the company, and all its members, can maintain alignment and continually improve information security best practices.
Creating a good foundation
Having the ISO 27001 certification helps to immediately establish a foundation of trust to our current and prospective clients. It is a stamp of approval on our information security framework to protect data, reduce risk and constantly improve our processes to mitigate evolving threats.
Another advantage of accreditation is the overlap between ISO 27001 and other valuable certifications, such as ISO 22301 for Business Continuity and SOC 2 Type 1 alignment, paving the way for future accreditation as our company grows.
The first stage of accreditation is establishing which of the ISO 27001 controls are in scope for your company and provide justification for those you believe are not applicable.
During an accreditation audit you can expect to go through each control area detailed in the Statement of Applicability (SoA) in a significant amount of detail, so having accurate policies and associated processes for each area is paramount to success. Accreditation is a company-wide effort; all employees should be considered key stakeholders in the process, particularly senior management, as they ensure information security objectives align with wider business objectives.
Maintaining the ISO 27001 accreditation and overall good information security practices can be a challenging task for companies going through growth periods, as new people and new processes are introduced over a short period of time. It is vital to ensure that all employees are aware and understand their role in information security, adhering to a ‘security first’ approach.
During surveillance or re-certification audits, you will be expected to demonstrate that regular internal and external checks are being carried out throughout the year to help maintain compliance. At Cutover, we meet with an independent information security consultant on a quarterly basis to perform a management review and performance evaluation on our operational processes. This is on top of internal departmental checks and balances which are performed on a regular basis.
Tools for success
We use Atlassian’s Confluence as the home of our Information Security Management System (ISMS). The content controls available allow us to clearly outline the ISO 27001 framework including how we meet each requirement and Annex A Control.
For some aspects of the controls, we utilize Cutover runbooks to demonstrate the process and ownership of each task, with the added benefit of being able to evidence the date and time it was last completed. This is particularly valuable when evidencing our business continuity process and testing schedule, and our third-party due diligence checks.
ISO 27001 re-certification result
We are pleased to announce that Cutover has been re-certified for ISO 27001 following our audit in February 2021. This fantastic result is a great testament to all the work our team does and our continuous focus on putting security first. We have now held the certification since 2018 and are looking forward to continuing to improve the effectiveness of our controls in 2021 and beyond.