Our annual ISO27001 Surveillance Audit - what it means, how we prepared & how it went
It's been a heck of a year - pandemics, potential world wars, frigid Oceanic winters and scorching European summers - but the main event that had a few of us at April9 wringing our hands...our first ISO27001 surveillance audit! Since information security (and management thereof) is such an integral facet of our organisation, and given the time and effort invested in implementing and maintaining these systems, we thought we'd give you a behind-the-scenes look at what goes into preparing for the audit, as well as how it went.
First we'll quickly run through a bit of an overview of ISO 27001, why April9 decided to pursue ISO 27001 certification in 2021, and what the last year has looked like since we achieved this. After that we'll jump into a short Q&A with April9's Chief Information Security Officer for a more detailed look into what we did to prepare for our first Surveillance Audit, as well as the outcome.
What is ISO 27001?
If you've been on our website or gotten an email from our team lately, you'll no doubt have spotted this little badge:
What does it mean to be ISO 27001 certified?
There are numerous benefits to pursuing ISO 27001 certification, some of which include:
- Improved security: By implementing an ISMS, organisations can improve their overall security posture. This is achieved by identifying and mitigating risks, as well as establishing processes and procedures for managing information security.
- Enhanced reputation: Achieving ISO 27001 certification can help to enhance an organisation's reputation, as it shows that they are committed to protecting their information.
- Increased customer confidence: Customers can be confident that their data is being protected when doing business with an ISO 27001 certified organisation.
- Improved efficiency: An effective ISMS can help to improve the efficiency of an organisation by streamlining processes and procedures related to information security.
How to get ISO 27001 certification
In order to be ISO 27001 certified, an organisation must go through a rigorous assessment process to ensure that their ISMS meets all of the requirements laid out in the standard. This includes things like conducting risk assessments, implementing information security controls, and establishing processes and procedures for managing information security.
There are a few* steps that need to be followed in order to achieve ISO 27001 certification:
- Conduct a risk assessment: This step is important to identify the potential risks and vulnerabilities that could impact your organisation.
- Implement security controls: Once the risks have been identified, security controls need to be put in place to mitigate them.
- Establish processes and procedures: to effectively manage your ISMS, it is important to establish processes and procedures for things like incident management, change management, and security awareness training.
- Submit to an external assessment: Once you have completed the above steps, you will need to submit to an external assessment to be certified. This assessment will ensure that your ISMS meets all of the requirements of the standard.
*"a few" in this case involving literal months of work and hundreds of hours of input from numerous stakeholders within the organisation. But yeah, just a few steps.
What is an ISMS, and why is it important?
An Information Security Management System (ISMS) is a framework of policies and procedures that an organisation puts in place in order to manage its information security. The purpose of an ISMS is to protect the confidentiality, integrity, and availability of an organisation's information.
By having an ISMS in place, we can effectively manage our information security risks and ensure that our data - and our customers' - is protected. ISMSs are especially important in today's landscape, with the number of data breaches increasing 68% year-on-year.
Why did April9 pursue ISO 27001 certification?
As April9 has grown as a company, the importance of having in place robust processes and procedures for managing our information security has also increased. In order to ensure that we are providing the best possible service to our customers, it became clear to us that pursuing ISO 27001 certification would deliver value on a number of fronts.
Not only does having an established ISMS in place inspire confidence in our customers, knowing their data is protected, but it also helps us stand out from our competitors. There are over 1,000 software development companies in Australia, but only a small fraction of them are willing to invest the time and resources into building and maintaining an ISO-level ISMS. This helps give April9 a competitive advantage over these companies, especially when it comes to working with enterprises or government bodies that comprise a large portion of our modern client base.
Preparing for the ISO 27001 Surveillance Audit
To get some insight into the preparations and process of the ISO 27001 surveillance audit, we talked to our very own Brett Henderson, April9's Chief Information Security Officer, who was the one primarily responsible for overseeing April9's preparations for the audit.
Brett, thanks for taking the time to participate. Did we miss anything so far?
That's a pretty good summary of ISO 27001. The only thing I'd add is that while undertaking it definitely improved our overall security posture, it also assisted us in the maturity of our company.
Most small to medium businesses’, focus primarily on getting the job done to meet the needs of the business today. This can mean that as you scale, there is no one place to identify how things should be done. While we have created all the policies and processes needed to meet the requirements of ISO 27001, we have also used it as an opportunity to document and standardise a lot of other policies and processes. This has helped maintain control as we grow.
Additionally the team, knowing the need to adhere to our security related policies/processes, are aware of the other policies and processes as we keep them in the same location and can contribute to their improvement as well.
For the people at home, can you briefly explain the difference between an ISO 27001 Certification Audit vs a Surveillance Audit?
During a certification audit, you undertake two stages. The first is a Gap Audit where they ensure your ISMS meets all the requirements to be certified. The second, or Implementation Audit, is where they look at what you say you will do in your policies, processes and controls and ask you to show proof. In both cases, this encompasses all elements of the Standard and all included Annex A controls.
A Surveillance Audit is a shorter version of the two Certification Audit stages. As it's been a year since you were certified, they check you are doing all the things you need to be doing to maintain a compliant ISMS, for example monitoring, risk assessment etc. They then look at the implementation of a selection of the Annex A controls, for example mobile device security, access controls and operational security. Each time you have a surveillance audit, the list of things looked at will change.
What did April9 do to prepare for its first ISO 27001 Surveillance Audit? Who was involved and how far in advance did you need to start prepping?
Preparing for a Surveillance Audit, if you are doing things correctly, is relatively simple. A few months beforehand you need to schedule the audit - auditors have busy schedules, so you can't leave it to the last minute. You also need to schedule and hold your internal audit and management review meeting.
In addition, I ensured we had completed our scheduled yearly risk and process reviews, reviewed any opportunities for improvement from previous audits we hadn't decided to undertake (never too late to reconsider an improvement) and did our yearly security refresher with the entire April9 team.
All up, the prep time wasn't long as we ensure our ISMS is a living system.
When it came time for the audit, there weren't too many people involved. It was mainly myself and the CEO, along with those members of the security team whose control areas were being audited.
How does an ISMS improve audit efficiency?
While audit efficiency is not a goal of your ISMS, the structure can greatly improve not only the efficiency of your audit but how you use it. For example, being able to easily identify how a policy or process addresses an Annex A control, while making it simple for the auditors to verify you are meeting the requirements, also makes it easy to ensure your updates to that policy or process continue to meet the needs of the control.
In your experience, what are the most common pitfalls that might cause organisations to lapse their ISO 27001 status or be "caught out" during the audit?
The most obvious one is assuming that achieving certification is the "end" as opposed to just the beginning. This can lead to taking for granted tasks like monitoring, continuous improvement and security awareness training. These are core parts of the standard and if not done can result in a Major Non conformity during an audit. If you get a Major NC you have a limited time to address it or risk losing your certification.
I can't stress enough, if your ISMS is not a living system, then it's really not serving yours or your customers’ security needs.
How were you feeling in the lead-up to April9’s 2022 ISO 27001 Surveillance audit?
I was very confident that we wouldn't have any non-conformities as we ensure our system is being used, monitored and evolving to meet our needs. Of course you can never be completely sure as auditors are exceptionally good at sniffing out issues.
So....how did it go?
The audit went really well and took less time than we expected. The structure of our ISMS makes the auditors’ job easier and all of our team understand the security requirements of their respective areas.
Happily, but not entirely surprising we had no non-conformities and the auditors only came up with a couple of potential improvements we could make.
What happens now?
It would be simple to now just say we have nothing more to do, but that's how you let your system get out of touch with reality.
We will continue to do our monitoring, follow policy and process and importantly look for ways to improve not only the implementation of our security systems but the underpinning policies and processes. All of this will set us up for success in future surveillance audits and ensure we continue to maintain the security of our and our customers' data.
April9’s top tips for preparing for and passing your ISO 27001 Surveillance audit:
- Ensure your ISMS is a living system, continuously improving
- Empower the Security officer to hold everyone in the business accountable, especially for things like monitoring and compliance
- Don't take it for granted everything is being done, and do a sanity check of key tasks prior to the audit
- Be open and honest with the auditor
If you'd like to learn more about how April9 safeguards our partners' data using our ISMS, or if you've got a project enquiry that requires working with an ISO 27001 certified company for your company’s technology requirements, then please get in touch. We’re always looking for new opportunities to form strategic partnerships with SMEs, enterprises and public organisations and help them transform the way they do business through our development and consulting services.