We said we had information security,
But were asked about its maturity.
So we took a route to remove any doubt,
By certifying it for tendering surety.
That’s the situation we were in toward the close of 2019. We had our information security management system (ISMS) only somewhat documented and our onion rings of protection still needed some growing. When prospective customers asked for our information security credentials, we provided these. But often they were unimpressed. They further inquired about our security practices, security risk management, and level of awareness. And finally, they asked were we information security certified. Or an application for tender asked this simple question “Is the company ISO 27001 certified?” No meant that we were already at a disadvantage before the tendering competition even began. Or in some cases it meant we were not eligible to even apply. Clearly this could not continue; we had to turn disadvantage into opportunity.
It started with top management accountability and commitment
In December 2019, the Gofore Security Team rose to the challenge and proposed to the management team, with evidence of tendering disadvantage in hand, that our ISMS should be formalised and certified to meet customer expectations. This was the critical first step because such an impactful company-wide project categorically requires the sanction, commitment and sponsorship of top management.
We proposed that *ISO27001 should be the internationally recognised standard to certify to. Top management approved the green light to start the ISO 27001 project on condition that we, quote CEO Mikael Nylund, “don’t do anything stupid”. The project was overseen by Chief Information Security Officer Jani Lammi, led by Secure Design Consultant Niall O’Donoghue who advocated for ISMS certification, with Security Consultants Tapio Vuorinen and Akseli Piilola as specialist project members.
Next, we scoped the ISO 27001 project. This was a critical second step (after top management approval) and so, to avoid doing “anything stupid” already, we delved into sources of advice and past experience that warned too wide a scope had doomed many organisations’ first attempts at certification. We really didn’t want to join that wall of shame. When the scope was agreed, it simplified identifying associated tangible and intangible assets, and that in turn simplified identifying stakeholders i.e., those with a vested role, responsibility, or interest in how the ISMS protects the assets within scope they utilise. Keeping within the certification scope was essential for formalising our ISMS benchmark that other company sites could aim to comply with.
That human connection called communication
Another pitfall we were careful to want to avoid was miscommunication. This was a delicate balancing act because the two leading causes of miscommunication in business are lack of communication whereby no one knows what’s happening, and excess communication whereby too many messages lead to key take-aways being missed or buried. We aimed for a cosy middle way with monthly stakeholder update meetings, several strategically issued awareness-raising broadcasts, a survey, and direct contact to key stakeholders.
Direct stakeholder involvement was crucial for information security risks identification and assessment. ISO 27001 is heavily based upon identifying relevant risks and applying human, process or technical mitigating controls to ensure sufficient asset robustness and resilience against ever-present threats. Risks identification and controls implementation was a time-consuming activity.
Soliciting employee (aka Gofore crew) opinion and input were achieved by means of a security pulse survey since, after all, crew are the company’s most valued asset, so their observations and recommendations must be taken into account. In a company with a flat organisational structure and a culture of transparency and self-determination, crew acceptance of and compliance with ISMS improvements is essential for effective security in practice.
Preparing for ISO 27001 certification consumed a lot of time and resources not only from the Security and IT teams but also from key stakeholders. Keeping the many ISMS facets being improved under control required proactive timely planning, and a ticket-workflow methodology, and fine-tuning along the way. Focusing on the critical and prioritising resolution of non-conformities and long-term ISMS deficiencies was central to getting things progressively done toward compliance. An internal audit, pre-audit and stage 1 audit were concurrently project delivery targets and progress checkpoints.
The project began in December 2019 and it ended in December 2020 with the certification audit which occurred over four days with thirty-two interviews and four office site tours. We achieved ISO 27001 certification, which probably confirms that we didn’t “do anything stupid” and now we can bask in the celebration of our achievement for a while. But in celebrating, we must not forget why we did this project. The top four reasons we certified our ISMS were 1. to raise the level of security awareness in the Gofore crew, 2. to evolve the ISMS to a condition expected from a digitalisation company, 3. to control identified security risks the company constantly faces, and 4. to win more customer project tenders.
The project is over but the program continues
Security is sure to fail if its kept separate from everyday business. Security cannot be bolted on either humanly, process-wise, or technically, it must be integrated and seamless as sensibly possible. So, the ISMS program must continue as a normalised aspect of everyday business. After the certification audit, business stakeholders and crew are still as relevant for ensuring ISMS effectiveness, and so the collaboration continues. There are more risks to identify and controls to implement. There must be ongoing security awareness to ensure newcomers and contractors comply with our information security policy. An annual review and audit of our ISMS must be conducted. Our ISMS must not regress, it must progress as business progresses.
Niall O’Donoghue on behalf of Gofore
You will find Gofore listed as ISO 27001 certified via https://www.kiwa.com/fi/fi/palvelutyyppi/sertifiointi-ja-arviointi/sertifikaattihaku/
* ISO27001 is a security standard that provides a framework for establishing, implementing, operating, monitoring and maintaining an ISMS. ISO 27001 is extensively accepted as the highest security standard in the information and communications technology industry for verifying the efficiency of an organisation’s overall attitude to security.