A Director’s perspective: Why I implemented ISO27001
Veracity achieved ISO27001 certification in August 2024. Why did we go to the trouble, distraction and expense of implementing an information security standard?
As a company owner and executive in the business, one thing that has kept me up at night over the last few years has been the implications of losing our corporate and client data.
As an IT services consultancy, we had implemented the usual cybersecurity hygiene practices such as multi-factor authentication and access controls as well as a number of advanced technical protections, but I still felt disquiet that the business was exposed since most incursions result from human error, some kind of social engineering or trickery. Who hasn’t received phone calls from scammers purporting to be IT technicians ready to remotely update your computer or emails confirming that an unordered parcel is ‘on its way’?
Essential Eight Cybersecurity Framework
We have implemented the Essential Eight cybersecurity framework in our own business and for many clients. We found that this framework is a helpful starting point for boards and management teams beginning to wrestle with cybersecurity, but it is not the end game. It is a useful checklist of operational technical controls that can be regularly monitored. However, it only covers Microsoft environments and does not consider non-technical controls such as data culture and strategy development or policy and process documentation. For instance, the Essential Eight won’t help the business determine its cybersecurity insurance premiums; prevent staff members from clicking a fake link, unwittingly opening a digital door to your corporate IT environment; or capture the key steps for staff to follow should we encounter a Denial-of-Service (DoS) attack or CryptoLocker threat.
Increased Data Privacy Risks
Additionally, since the Optus and Medibank incidents of 2022, the regulatory stakes have risen considerably. The whole country learnt that most of the 20 million mobile and insurance customers affected were not overly concerned about the cybersecurity practices of these companies, they were most worried about the potential personal effects on their privacy. Would their identities be stolen? Would they become targets for future scammers? And why did these companies hold their personal information for so long, when many were no longer customers? Corporate Australia’s disconnect from customer concerns was breathtaking, to paraphrase, ‘since no bank details were taken, the breach wasn’t that serious for customers’.
These landmark data breach events made me realise that while most businesses around Australia, including my company had implemented reasonable preventative cyber security measures over the last decade, most organisations were laggards when it came to data privacy.
New Privacy Legislation
New privacy legislation about to be introduced in Australia in late 2024 or early 2025 will give individual customers far greater access to personal data held by companies and rights of erasure. What personal data will customers have access to? Where will it be held? How easy will it be to retrieve, return or destroy? What is the legal definition of ‘customer data’? These are policy, process and legal questions – many of which remain untested – not the familiar technical domain of cybersecurity.
To help me sleep at night, and to face up to the privacy challenges ahead, I would need to implement a ‘whole-of-business’ strategic data management approach that covered data strategy, policy development, processes and procedures as well as technical controls. I needed a model that set the cultural tone for data management at Veracity, that provided leadership and direction for staff and third-party holders of our corporate information to unambiguously follow.
Information Security Management Systems
There are two globally recognised Information Security Management Systems (ISMSs) available. Although they were originally conceived to address cyber threats, they are both currently being overhauled and expanded to cover data privacy and Generative Artificial Intelligence (Gen AI).
One ISMS option is the NIST Cybersecurity Framework developed by the US based National Institute of Standards and Technology (NIST) favoured across North America. The other choice is ISO27001, a leading standard preferred in Europe and Australia.
What attracted me to these standards was that they are both whole-of-business risk management approaches requiring focused attention on data governance, strategy, culture, policy and processes. I selected ISO27001 simply because it is the market leader in Australia, with an abundance of trained practitioners and certifiers ready to help implement a tailored framework to suit the size and complexity of our business.
Navigating Business and Productivity Distractions
In selecting ISO27001, one hesitation I had was the potential distraction, productivity lapse and increased workload on staff being diverted and absorbed into completing ISO tasks. This concern was quickly allayed when I discovered that we could build our ISO27001 framework online, by engaging a recognised compliance platform provider. This would enable us to develop our framework in our own time, at our own pace with minimal disruption when staff were available. We chose the Compliance Platform Provider – de.iterate – to assist us which proved to be an excellent decision.
Achieving ISO27001 Certification
I am delighted to confirm that Veracity achieved ISO27001 certification in August 2024 after chipping away at it for the last twelve months or so. ISO27001 gives us so much more than the Essential Eight. We now have a recognised, consistent Information Security risk management system in place where we can strategically assess all kinds of data risks including emerging AI technologies. With the core risk assessment approach embedded, it will be relatively easy to extend to data privacy related priorities, particularly regarding corporate and client data held by third parties.
I do sleep better knowing that ISO27001 is in place at Veracity. It gives me comfort that all staff – casual, part-time and full-time – have read and understood our data policies. It is also reassuring that where we had policy gaps, our ISO platform provider, de.iterate, had templates available that we could quickly and easily tailor and implement for our purpose. It is also a great relief to realise that should we be exposed to an incursion; we have clearly documented response plans in place with clear processes to follow. It’s no different from having an office fire plan, only it relates to data security and privacy. Organisationally, ISO27001 provides the method to embed a health data culture at Veracity where all staff viscerally understand the value and importance of data.
From a market facing perspective, federal and state government procurement rules are steadily requiring service providers of all sizes to have a recognised ISMS implemented and operational to be eligible to bid for government contracts. The ISO standard also provides clients with comfort that their data is being handled with the care and respect deserved.
In summary, as a business owner, I am very glad we have implemented ISO27001 at Veracity. Although we are probably an early adopter for a business of our size, it won’t be long before ISMS standards like ISO27001 will be the norm in all Australian organisations.
Considerations before implementing an ISMS like ISO
- How much time and resource is your organisation able to commit to this endeavour?
- What are the strategic benefits in implementing an ISMS for your organisation?
- What timeline is realistic for achieving certification?
- How will we involve our workforce and what training/upskilling will be required?
- Can my IT partner assist with the process?
Get in touch
If you need assistance navigating the privacy landscape or the current privacy and data governance posture for your organisation, please get in touch. We’d love to help.