Audits, Audits, Compliance and Certifications, Certification, ISO 27001, Multiple Standards

An Integrated Approach: How ISMS.online Achieved ISO 27001 and ISO 27701 Recertification

In October 2024, we attained recertification to ISO 27001, the information security standard, and ISO 27701, the data privacy standard. With our successful recertification, ISMS.online enters its fifth three-year certification cycle—we've held ISO 27001 for over a decade! We're pleased to share that we achieved both certifications with zero non-conformities and plenty of learning. How did we ensure we effectively managed and continued to improve our data privacy and information security? We used our integrated compliance solution – Single Point of Truth, or SPoT, to build our integrated management system (IMS). Our IMS combines our information security management system (ISMS) and privacy information management system (PIMS) into one seamless solution. In this blog, our team shares their thoughts on the process and experience and explains how we approached our ISO 27001 and ISO 27701 recertification audits. What is ISO 27701? ISO 27701 is a privacy extension to ISO 27001. The standard provides guidelines and requirements for implementing and maintaining a PIMS within an existing ISMS framework. Why Should Organisations Look to Implement ISO 27701? Organisations are responsible for storing and handling more sensitive information than ever before. Such a high - and increasing - volume of data offers a lucrative target for threat actors and presents a key concern for consumers and businesses to ensure it's kept safe. With the growth of global regulations, such as GDPR, CCPA, and HIPAA, organisations have a mounting legal responsibility to protect their customers' data. Globally, we're steadily moving towards a compliance landscape where information security can no longer exist without data privacy. The benefits of adopting ISO 27701 extend beyond helping organisations meet regulatory and compliance requirements. These include demonstrating accountability and transparency to stakeholders, improving customer trust and loyalty, reducing the risk of privacy breaches and associated costs, and unlocking a competitive advantage. Our ISO 27001 and ISO 27701 Recertification Audit Preparation As this ISO 27701 audit was a recertification, we knew that it was likely to be more in-depth and have a larger scope than a yearly surveillance audit. It was scheduled to last 9 days in total. Also, since our previous audit, ISMS.online has moved HQ, gained another office and had several personnel changes. We were prepared to address any non-compliances caused by these changes, should the auditor find any. IMS Review Before our audit, we reviewed our policies and controls to ensure that they still reflected our information security and privacy approach. Considering the big changes to our business in the past 12 months, it was necessary to ensure that we could demonstrate continual monitoring and improvement of our approach. This included ensuring that our internal audit programme was up to date and complete, we could evidence recording the outcomes of our ISMS Management meetings, and that our KPIs were up to date to show that we were measuring our infosec and privacy performance. Risk Management and Gap Analysis Risk management and gap analysis should be part of the continual improvement process when maintaining compliance with both ISO 27001 and ISO 27701. However, day-to-day business pressures may make this difficult. We used our own ISMS.online platform project management tools to schedule regular reviews of the critical elements of the ISMS, such as risk analysis, internal audit programme, KPIs, supplier assessments, and corrective actions. Using Our ISMS.online Platform All information relating to our policies and controls is held in our ISMS.online platform, which is accessible by the whole team. This platform enables collaborative updates to be reviewed and approved and also provides automatic versioning and a historical timeline of any changes. The platform also automatically schedules important review tasks, such as risk assessments and reviews, and allows users to create actions to ensure tasks are completed within the necessary timescales. Customisable frameworks provide a consistent approach to processes such as supplier assessments and recruitment, detailing the important infosec and privacy tasks that need to be performed for these activities. What to Expect During an ISO 27001 and ISO 27701 Audit During the audit, the auditor will want to review some key areas of your IMS, such as: Your organisation's policies, procedures, and processes for managing personal data or information security Evaluate your information security and privacy risks and appropriate controls to determine whether your controls effectively mitigate the identified risks. Assess yourincident management. Is your ability to detect, report, investigate, and respond to incidents sufficient? Examine your third-party management to ensure adequate controls are in place to manage third-party risks. Check your training programmes adequately educate your staff on privacy and information security matters. Review your organisation's performance metrics to confirm they meet your outlined privacy and information security objectives. The External Audit Process Before your audit begins, the external auditor will provide a schedule detailing the scope they want to cover and if they would like to talk to specific departments or personnel or visit particular locations. The first day starts with an opening meeting. Members of the executive team, in our case, the CEO and CPO, are present to satisfy the auditor that they manage, actively support, and are engaged in the information security and privacy programme for the whole organisation. This focuses on a review of ISO 27001 and ISO 27701 management clause policies and controls. For our latest audit, after the opening meeting ended, our IMS Manager liaised directly with the auditor to review the ISMS and PIMS policies and controls as per the schedule. The IMS Manager also facilitated engagement between the auditor and wider ISMS.online teams and personnel to discuss our approach to the various information security and privacy policies and controls and obtain evidence that we follow them in day-to-day operations. On the final day, there is a closing meeting where the auditor formally presents their findings from the audit and provides an opportunity to discuss and clarify any related issues. We were pleased to find that, although our auditor raised some observations, he did not discover any non-compliance. People, Processes and Technology: A Three-Pronged Approach to an IMS Part of the ISMS.online ethos is that effective, sustainable information security and data privacy are achieved through people, processes and technology. A technology-only approach will never be successful. A technology-only approach focuses on meeting the standard's minimum requirements rather than effectively managing data privacy risks in the long term. However, your people and processes, alongside a robust technology setup, will set you ahead of the pack and significantly improve your information security and data privacy effectiveness. As part of our audit preparation, for example, we ensured our people and processes were aligned by using the ISMS.online policy pack feature to distribute all the policies and controls relevant to each department. This feature enables tracking of each individual's reading of the policies and controls, ensures individuals are aware of information security and privacy processes relevant to their role, and ensures records compliance. A less effective tick-box approach will often: Involve a superficial risk assessment, which may overlook significant risks Ignore key stakeholders' privacy concerns. Deliver generic training not tailored to the organisation's specific needs. Execute limited monitoring and review of your controls, which may result in undetected incidents. All of these open organisations up to potentially damaging breaches, financial penalties and reputational damage. Mike Jennings, ISMS.online's IMS Manager advises: "Don't just use the standards as a checklist to gain certification; 'live and breathe' your policies and controls. They will make your organisation more secure and help you sleep a little easier at night!" ISO 27701 Roadmap – Download Now We've created a practical one-page roadmap, broken down into five key focus areas, for approaching and achieving ISO 27701 in your business. Download the PDF today for a simple kickstart on your journey to more effective data privacy. Download Now Unlock Your Compliance Advantage Attaining recertification to ISO 27001 and ISO 27001 was a significant achievement for us at ISMS.online, and we used our own platform to do so quickly, effectively and with zero non-conformities. ISMS.online provides an 81% head start, the Assured Results Method, a catalogue of documentation that can be adopted, adapted, or added to, and our Virtual Coach's always-on support. Easily ensure your organisation is actively securing your information and data privacy, continuously improving its approach to security, and complying with standards like ISO 27001 and ISO 27701. Discover the benefits first-hand - request a call with one of our experts today.
Read More
Certification, ISO 27001

When Ransomware Strikes at Night, How Can Your Organisation Stay Safe?

Ransomware is the cybersecurity story of the past decade. But over that time, adversary tactics, techniques, and procedures (TTPs) have continued to shift according to the continuously evolving arms race between attackers and network defenders. With historically low numbers of victim companies electing to pay their extortionists, ransomware affiliates are focusing on speed, timing, and camouflage. The question is: with most attacks now coming at weekends and in the early hours of the morning, do network defenders still have the right tools and processes in place to mitigate the threat? Financial services organisations, in particular will need an urgent answer to such questions ahead of compliance with the EU's Digital Operational Resilience Act (DORA). From Strength to Strength By one measure, ransomware continues to thrive. This year is set to be the highest-grossing ever, according to analysis of crypto payments to addresses linked to criminality. According to an August report from blockchain investigator Chainalysis, ransomware "inflows" year-to-date (YTD) stand at $460m, up around 2% from the same time last year ($449m). The firm claims this increase is largely due to "big-game hunting" – the tactic of going after fewer large corporate victims that may be more capable and willing to pay larger ransoms. The theory is borne out in one payment of $75m by an unnamed company, to the Dark Angels ransomware group earlier this year – the largest ever recorded. Overall, the median ransom payment to the most common ransomware strains has also surged—from just under $200,000 in early 2023 to $1.5m in mid-June 2024. Chainalysis claims this suggests "that these strains are prioritising targeting larger businesses and critical infrastructure providers that may be more likely to pay high ransoms due to their deep pockets and systemic importance. " The apparent strength of the ransomware ecosystem is more impressive given the law enforcement wins of earlier this year, which seemed to disrupt two major groups: LockBit and ALPHV/BlackCat. Chainalysis claims these efforts have fragmented the cybercrime underground somewhat, with affiliates moving to "less effective strains" or launching their own. This chimes with a Q2 2024 analysis by ransomware specialist Coveware, which claims to have observed an increase in the number of "lone wolf" groups not affiliated with any major ransomware "brand". Many have taken this decision "due to the increasing threat of exposure, interruption, and profit loss associated with 'toxic' ransomware brands," it says. However, the bottom line is that these threat actors are still active. And with payment rates declining from a high of around 85% of victims in 2019 to roughly a third of that today, they are always looking for ways to make their efforts more effective. Timing Is Everything A new report from Malwarebytes' ThreatDown group reveals exactly how they hope to do so. It claims that, over the past year, more ransomware groups have attacked victims on weekends and in the early hours of the morning. The threat team dealt with most attacks between 1 and 5 a.m. local time. The reason is obvious: the threat actors hope to catch an organisation when its IT team is fast asleep or recharging its batteries at the weekend. Further, the report claims that attacks are getting faster. Back in 2022, a Splunk study tested 10 top ransomware variants and found the median speed for encrypting 100,000 files was just 43 minutes, with LockBit the quickest of all at just four minutes. But what Malwarebytes is seeing is an acceleration of the entire attack chain – from initial access to lateral movement, data exfiltration and finally, encryption. That gives bleary-eyed network defenders even less time to respond and contain a threat before it's too late. The report also claims that more malicious actors use Living Off the Land (LOTL) techniques, which use legitimate tools and processes to stay hidden inside networks while achieving these ends. "Recent customer incidents from top gangs such as LockBit, Akira and Medusa reveal that most of the modern ransomware attack chain is now composed of LOTL techniques," it says. How to Mitigate Ransomware Risk in 2024 Big-game hunting attacks may garner most of the headlines, but the truth is that most ransomware victims are technically SMBs. Coveware claims that the median size in Q2 2024 was just 200 employees. So how can these organisations hope to defend against stealthy attacks at night and on weekends? "The only solution is to ensure that those assets are monitored with the same diligence at 1am as they are at 1pm," Malwarebytes senior threat intelligence researcher Mark Stockley tells ISMS.online. "That can be achieved by staffing an in-house Security Operations Centre (SOC) that operates 24/7. But for most organisations, it's more practical and cost-effective to use a third-party service, like Managed Detection and Response (MDR), or to have a Managed Service Provider (MSP) do it." As the DORA era looms, such measures will be increasingly necessary for financial services organisations and their suppliers. Continuous monitoring, 24/7 incident response readiness, robust business continuity planning, and regular testing will all be required to satisfy regulators that resilience is at an appropriate level. Stockley believes best practice standards and frameworks like ISO 27001 can help to get organisations to this point. "Like any standard or framework, ISO 27001 is a means to an end. Organisations can arrive at the level of information security they need without it, but standards and frameworks can act as useful maps to help them get there and stay there," he adds. "The right choice of framework depends on the organisation's level of security maturity. Ultimately, cyber-criminals don't care what certifications you have; they only care if they get stopped."
Read More
Certification

ISO 27001 Certification, Simplified

Achieving ISO 27001 Certification acts as a business differentiator, affirming to suppliers, stakeholders and clients that your business takes information security management seriously. Here we will explain what it means to be ISO 27001 certified, the benefits, and what might be involved.
Read More
ISO 27001, Medium Businesses, Audits, Certification, Controls, Policies

How Utonomy achieved ISO 27001 first time with ISMS.online

Utonomy was created to solve a specific problem: helping gas network operators reduce methane leakage through pressure management. The company has developed innovative technology that automatically optimises the pressure in gas distribution networks, taking into account seasonal and daily variations in demand to deliver a significant reduction in leakage.

The business supplies customers critical to national infrastructure who face stringent regulatory requirements. As such, the Utonomy team knew that achieving ISO 27001 certification was a must to demonstrate the company’s proactive information security stance to customers, stakeholders, and prospects when tendering.

Utonomy already had a basic information security management system (ISMS) in place due to the work the team had done to achieve Cyber Essentials certification. However, they knew that the business needed a more comprehensive ISMS to achieve ISO 27001 certification successfully. The company needed a platform to make ISO 27001 implementation and ongoing compliance as easy as possible.

“We recognised that we were going to need ISO 27001 in terms of our relationships with our customers; the industry was becoming more security aware. We’d done a fair bit of work around Cyber Essentials, but we thought, ‘we’re going to need to step up our game.’”

Steve Lewis, Chief Technology Officer and Chief Information Security Officer at Utonomy

“We’ve got lots of stuff in the trackers because they’re easy to use. It means that the people who need to be [tracking security incidents] aren’t likely to do it somewhere else, like a note in a book or in one of our other systems. And that makes it easier to manage and easier to audit.”

Steve Lewis, Chief Technology Officer and Chief Information Security Officer at Utonomy

Utonomy chose the ISMS.online platform for ISO 27001 compliance and certification, building out all its ISO 27001 policies, trackers and evidence under one roof. Using the platform’s pre-built policy templates as a starting point, Steve and his team expanded on the templates to suit Utonomy’s specific security objectives and ensured they had comprehensive knowledge of the policies and controls making up the organisation’s ISMS.

“The templates gave us a structure, and it was an educational way to look at an acceptable description of a process because when you’re coming in cold, it’s always difficult to know how far you have to go with documentation.”

Steve Lewis, Chief Technology Officer and Chief Information Security Officer at Utonomy

The business migrated product risk documentation into ISMS.online to proactively manage product threats and controls within the platform using the risk register and risk tracking. With the linked work feature, Utonomy mapped over 60 risks and associated controls and can now easily monitor and manage product risks rather than updating documentation manually. 

“In this new form, it will be much easier to update when we launch new product features or product changes. It’ll be a less onerous, daunting task to try and work through the things we need to change.”

Steve Lewis, Chief Technology Officer and Chief Information Security Officer at Utonomy

Read More
ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

Streamline your workflow with our new Jira integration! Learn more here.