We finished last year on a high note by helping care homes reunite families for Christmas and...
If you hadn’t noticed by now, I’m quite keen on information security and data compliance. We manage bookings and scheduling for millions of people, so we must take this stuff seriously.
This article is about ‘the big one’ for us; not which standards we comply with but how we organize our approach to data security. As you might have guessed, this involves another standard, specifically ISO 27001: 2013.
We’ve been working towards ISO 27001 certification for years. The standard has informed how we have approached data security since we started the business. Every time we have adopted a regulation or developed our processes we have looked to the ISO27000 standard series (and NIST 800 - another useful one) for guidance. But there’s a difference between using it to inform our decisions and fully adopting it, and being audited by a third party to check. That’s one of the things we’ve been up to for the last few months.
What is ISO 27001?
For those of you who don’t know what ISO 27001 is here goes my explanation. ISO 27001 is about how you do things and how you approach risk. Adopting the standard means knowing what data and assets you hold, what risks might affect them, how you mitigate those risks and the controls you need in place to check you’re doing what you say you are. Then you need an overall system to monitor these risks and controls to ensure you are doing it, doing it right, and always improving.
That overall system is called the ISMS or Information Security Management System. This system and your implementation of it get audited by an accredited third party, in our case BSI. If it complies with the standard you’re certified.
It’s important to note that security provisions, however extensive, cannot guarantee data security. Hence we always act to minimize risks. ISO 27001 standard doesn’t ‘make you secure’. It draws a line in the sand and says this is how secure you are and where you should expend effort to improve. It’s about building a robust and stable system, not a perfect one.
How 10to8 got ISO 27001 certified?
What surprised me was the extent to which the accreditation process both galvanized and changed how we do things.
Previously our biggest exposure to the standard had come from our customers. We get a lot of compliance questions, especially from larger businesses with sensitive customer information. Those questions almost always follow a particular pattern we call ‘Appendix A’.
Appendix A is the list of recommended ‘controls’ in ISO 27001 that are used to check the data security measures (or continuously reducing risks to data) in an organization. There are 114 of them.
So quite regularly businesses write to us asking, in slightly different ways, at least 114 questions on data security. Frustratingly all slightly different and reflecting that particular organizations' approach.
It hasn’t just been endless ‘Appendix A’ questionnaires; we had been through several different standards to ensure data protection (e.g. HIPAA, EU-GDPR, CCPA); and put in place our own best practices.
So even after all that, on reading through the standard there was still lots to do! Finding gaps is the point of a rigorous process, and ISO 27001 is rigorous.
The biggest risk in a business...
It’s well known that the biggest risk to any business is people: we are walking security risks. For example, breaking encryption on a secured device is difficult, but reading a password over someone’s shoulder if they’ve unlocked the device in public is easy! We, people, introduce a lot of risks.
Rather than go through every single policy we’ve put in place or feature we’ve added to make us more secure, I thought I’d share my favorite outcome for our assessment of risk: our approach to Emails.
We all have opened our inbox to see some email inviting us to click on a link or to transfer some money urgently. Seemingly they come from friends and colleagues, but on closer inspection, they don’t. These kinds of phishing attacks cost companies $5 billion and millions of these attacks are made each day.
We realized that if we chose to trust email then it’s only a matter of time before someone clicks the link and the damage could be significant.
So how we communicate and reduce risk to our computer systems?
The answer was surprisingly easy. There are so many other ways for companies to communicate such as MS Teams, Slack, Hangouts or Zoom. With these methods, unlike email, messages are authenticated (you have to log in) at both ends. We enforce ‘MFA’ (multi-factor authentication) which means these are super secure.
Email is no longer a trusted form of internal communication.
What the inspections found...
All this work was in anticipation of something we hadn’t had before. An inspection. To get ISO 27001 certified you need to be inspected. You open up your business and processes, show all your working and hope what you did is good. It’s a bit like tidying up and then someone coming in to check that you really have done everything by opening up all the cupboards and looking under the bed.
We had implemented good practice. We had created a lot of documents. But our first inspection showed why inspections are important.
What we had generated could be considered compliant, but practically finding anything in the huge mass of documentation we prepared was difficult. It was difficult to see if anything was missing, and inevitably there was.
We had tidied our room without sorting out where everything should really go. This made it hard for us to prove we were secure and, as our inspector pointed out, tough in the long run for us to administer.
The second round was a detailed 4-day inspection with interviews with staff. We set about a mammoth set of tidying jobs. Aligning every document and policy in the entire company with the ISO 27001 process from clear desk policies to our monthly Friday celebrations guidelines. Then double checking the standard against all our own practices.
The results were extremely gratifying. We sailed through our second inspection and we received our certificate from BSI for ISO 27001:2013 shortly afterward.
Now the real work begins. ISO 27001 is a process which means that we are continuing to work on all aspects of data security and risk. Following our ISMS and iterating to reduce risks to 10to8 data.
Blog comments