If data security isn’t on the top five list of things you worry about as a manager or business owner, then your list probably needs a re-write. The data we hold about our staff, partners, contacts, suppliers, prospects and clients can be extremely sensitive, and the loss of that data can have dramatic consequences. A breach of GDPR compliance can lead to a fine of 20 million euros or 4% of your turnover, whichever is higher. The information commissioner has imposed fines of up to £200,000 on companies that have been found to have permitted data breaches to occur. Make no mistake, a significant data breach is a small business killer.
Data protection & breathe
The data we hold at breathe would keep Sleeping Beauty awake worrying and give Rip Van Winkle nightmares. We hold sensitive information about a quarter of a million UK employees, including everything from personal contact details to disciplinary notes and salary information.
Applications grow over time, more features are added, and existing features are enhanced. Security must be maintained throughout this process, which is a challenge for any software firm. New methods of attacking companies are mitigated by new mechanisms for defending them. Growing numbers of employees mean more data, more email, more documents, more folders of information, more little black notebooks, more laptops, more mobile phones. Security is not, therefore, something you switch on, it is a never ending mountain that must be climbed.
So, what is ISO27001?
ISO27001 is an internationally recognised standard that demonstrates a commitment to data security, adhering to an information security management system, and fostering a culture of awareness of security that encompasses all aspects of company operations and activities.
Why did we decide to become ISO27001 accredited?
We decided to embark on the journey to achieve ISO27001 for multiple reasons.
Firstly, we were aware that if security is the path up a mountain, an ISO270001 qualification is like taking a short cut part of the way on a chairlift. It doesn’t automatically make you “secure”, but it ensures you are fostering a culture of thinking about security in every interaction, and, are on a never ending journey to improve it.
Secondly, it’s probably the best way of ensuring you are covering all your bases with regards to GDPR compliance, which, as we know, are somewhat confusing and ambiguous. We figured if the rest of Europe is going to strive for GDPR compliance, then we'd take steps to go above and beyond.
A lot of people have heard about ISO27001. Our onboarding team are often asked if we adhere to that standard. So, it’s amazing to be able to say “yes we do" to both our existing and prospective customers, give them peace of mind, and provide them the means to trust us that little bit more with their sensitive data.
In addition, breathe has been amazingly successful and is growing at an incredible rate. The management team don’t want to lie awake worrying about security, so we wanted to create an awareness throughout the entire company of what data security means as well as creating a culture where everyone is vigilant, and everyone is responsible.
Finally, one of our values is to 'do the right thing'. We have been talking about security for years, but committing to achieving ISO27001 accreditation was our way of walking the walk.
The process in 3 stages
Let me break down ISO27001 and put it in English for you. There are essentially three stages to the process of becoming accredited.
The first is to put an ISMS (The Information Security Management System) in place. This is a library of documents and lists that detail everything from who has access to what applications and at what level, to how security is managed during the breathe development procedure. This is done based on “how things are now” rather than “how things should be”. And, even for an organisation like breathe, that has always taken security seriously, it was a humbling process as gaps and weaknesses were made abundantly clear. It turns out we were pretty good at managing obvious risks like the Breathe application itself, but we didn’t have a strict process for all notes and paper being cross shredded and destroyed on a daily basis. People that doodle when they are on the phone tend to write down names and phone numbers.
The second stage is to build a routine of continual improvement. This covers everything from regular meetings of a security team, to reviews and enhancements to procedures, to staff education. This gets the whole company on board and brings the standard up. Now staff were able to record potential threats themselves, which got everyone thinking about security. This is an important point. ISO27001 is a journey that never stops. What was great today will be good tomorrow and unacceptable next week. Security must constantly be reviewed, and enhanced. It must be built into your staff onboarding and exit process. It must be driven by everyone in the company. Now if I leave my laptop screen unlocked and walk away from my laptop it will lock itself in 60 seconds. More than that, one of my team will point out the error of my ways on my return.
The final stage is to go through a series of audits. We went through a test where someone tried to obtain our employee data using a very real looking fake email. We spotted it very quickly but it was terrifying how subtle and complex an attack can be. We went through a disaster management scenario where we had to see if the plans and procedures we had put in place allowed the business to continue. We tested what happens if we lose the breathe hosting provider. We had people try to sneak into the office without being spotted. Finally, when we decided we were ready, we had an external and independent inspector spend 4 days with us going through the entire ISMS to ensure it was compliant and then testing to ensure we were actually living what the documentation said we were doing.
A continuous journey
Achieving ISO27001 is admittedly more difficult than stating you intend to achieve it. The process took us a year from start to finish with the help of a team of 4 people here at breathe, as well as the use of external expertise in the form of a company called CQR. CQR unquestionably accelerated the process for us, and I would thoroughly recommend using an external expert as your guide in your journey to ISO27001.
More than anything else, achieving ISO27001 is a humbling journey that requires complete honesty. You have to take a step back and look at your entire business from a perspective of risk and threat, and that’s quite a scary thing to do.
So here we are, with a freshly printed ISO27001 certificate. The journey is by no means over. There are regular meetings of the security team. There are processes that are compliant but a bit cumbersome. There are new applications to assess and check we are happy with. There are employees joining regularly that need to be trained in data security. However, data security is no longer something we are ‘doing’ to achieve a goal. It’s become part of who we are. We like to think that’s always been the case, only now we have a certificate to prove it.