Early last year, after completing yet another information security questionnaire as part of a public sector website tender, we made the decision to add ISO/IEC 27001 certification to our suite of ‘ISO’s’.
We currently hold 9001 for quality management, 14001 for environmental management and 18001 for occupational health and safety management. These combine into what is called an Integrated Management System and every year we are audited over a period of several days to make sure we comply with each of these strict international standards.
27001 is the best-known standard for providing a detailed set of bullet-proof requirements for an information security management system (ISMS).
During our day-to-day activities, developing websites for our clients and performing our general ‘running a busy business’ duties, we interact with a variety of information assets, with various degrees of confidentiality. Our 27001 ISMS helps us manage these information assets providing assurance of its confidentiality, integrity and availability.
As we have been working with high profile public sector clients for about 15 years, it turned out we had most of what we needed for 27001 already in place. We just needed to spend time formalising all of the policies and procedure to satisfy the audit team.
We passed with flying colours and received our certificate last month.
Why is this important?
We’ve gone to great lengths to ensure confidential things stay confidential.
Everything from the secure coding standards we work to, how our network infrastructure is designed and monitored, our hosting and our disaster recovery plans, through to how our team use mobile devices for their S8080 email accounts has been considered, risk-assessed and hardened.
It’s all a bit James Bond, but it means our clients have one less thing to worry about.