The business had several banking clients using our internally hosted software platform to manage it’s built assets.  As one might expect, they had an audit requirement for our systems to be ISO27001 compliant. The business had kicked this can down the road for several years to the point that it had become a deal breaker as part of the contract renewal for one of these banking clients. Losing this key client would result in the business becoming financially and reputationally unsafe.

We therefore committed to having ISO27001 delivered by a certain date, just 6 months down the line.

Anyone implementing ISO27001 knows that this is as much about hearts and minds as it is about security policy or pen testing. I knew we were far away from being compliant, let alone achieving certification.

The first stage was executing a gap analysis – looking at what was required and what we had in place (which was very little) The gap analysis translated into a work program, highlighting the things that needed to happen in order to meet the standard and also allowing time to be inspected and assessed and getting the actual certification.

The work program had a significant business change element to it, engaging internal communications to deliver key messages to the business and also delivering compulsory training to raise security awareness across the company.

My biggest challenge was to convince the Board that this was important: any company-wide initiative needs to have unwavering Board support and this was not always forthcoming. I formed an alliance with the Legal Team who were implementing GDPR which made it a much clearer Board level risk, and between us, and with huge amounts of tenacity and perseverance, we were ready for assessment.

The assessment took place over a series of weeks at various locations. Thankfully we passed and achieved ISO27001 within the 6 month window. This meant that not only did the banking client renew the contract for 3 years, but it also helped other banking clients make their business case to stay with us much easier.

One year on, the repeat audit took place and again all was well, thereby showing that the business change had “stuck” and was successful.

• Business Change Management & Communication
• ISO 27001 Consultancy

• Organisational Agility & Effectiveness

• Technology