Behind the Scenes with NewVoiceMedia's ISO27001 Audit
With today's announcement that NewVoiceMedia has achieved the ISO27001 accreditation, here on the blog we wanted to provide you with some behind the scenes information on the process that we've been through and what this means to you.
ISO27001 is an international standard relating to data security and NewVoiceMedia took the decision to become accredited to save our customers time when performing due diligence.
Alan Duckworth who headed up NewVoiceMedia's ISO27001 team was starting to see an increasing number of RFP's from customers that required non-accredited vendors to fill in extensive sections on data security. Successful accreditation would save both our customers and our internal teams significant time.
The first decision to make was the scope of accreditation. It's possible to accredit parts of your organisation - perhaps your HR team, or your Sales team. Alan took the decision to accredit the entire business which although more complex ensured that compliance with the standard became deeply embedded in the culture of the entire business.
6 months ago a gap analysis took place using an external agency. Thankfully due to our PCI-DSS Level 1 accreditation much of the required processes were already in place - it was just a case of pushing those behaviours out across the rest of the business. We undertook an internal audit before Christmas to confirm that we had completed our improvement roadmap, and then in early January we underwent three days of external auditing. For Alan this was the culmination of his work - and although confident that the company was ready, "you're never truly happy until the certificate arrives!"
At NewVoiceMedia the visible changes include permanent card entry systems on all the doors, a document classification system, and a security feedback process built into our Salesforce CRM. New employees have also seen their new starter process enhanced with updated Company Handbooks and security training.
I asked Alan what advice he'd give to other businesses looking at achieving the ISO27001 accreditation. "Get management buy-in - it's critical to ensuring that everyone in the business subscribes to the mission." Alan also believes that it can be tempting to go over the top with your changes - you have to balance security with realism. "Asking your employees to manage 30 character passwords is going to cause more issues than it solves. Make sure you keep your employees front of mind when making changes."
With PCI-DSS Level 1 and ISO27001 under his belt, Alan is now eyeing up BS2599 (a business continuity standard) and ISO9001 (a business process standard). There is plenty of opportunity for us to further develop our clients' trust in our platform and process.
Have you achieved ISO27001? What was your experience like?
We hope you have found this post useful. If so, please share with your network and subscribe to the blog.