Far from a One-Off, ISO27001 Certification involves Ongoing, Rigorous Process

In June 2022 BizCubed announced that we achieved ISO27001 Certification. Did you know that this certification kicks off a three-year process of evaluation and validation of the culture of continuous improvement that is our information security management system (ISMS)?

This idea of an organisation’s security culture involving living processes that are regularly reviewed, improved upon, and augmented works well for BizCubed, because our whole engineering approach is about structure, repeatability, and operationalisation, while also maintaining agility to adapt to new opportunities.

We operationalised everything it took to achieve this certification, and since then we have implemented an input and evaluation cycle both in support of this certification and inspired by it.

Validation Required

Once certified, a business is regularly assessed by the certifying body to validate that it remains in compliance with ISO27001 requirements. They explore for issues, new gaps related to the risk landscape or updates to the business environment. plus they provide best practice recommendations and guidance for ongoing improvement. It is just the kind of robust process that resonates with our data engineering mindset.

Each year for three years they perform a surveillance audit and validate to the relevant standards. Maintaining our certification status is contingent on the business continuing to demonstrate our data protection capabilities but also that we are continuing to improve and build on those capabilities.

Strategy Accepted

Secure, protected data as a critical asset was already a fundamental concept in our business and a core capability.  That’s why ISO27001 certification of our ISMS was the natural next step to demonstrating our value to our customers.

Formalising that ISMS was an extension of the way we were already working, and it – along with our efforts to comply with ISO certification requirements – involved tweaking systems and processes to be even more rigorously governed and consistently secure.

Even better for our customers, is that the continuation of these efforts includes an input and evaluation cadence as part of our overall  business cadence.

What does that look like, in action?

• We’ve assigned someone to drive it. As part of our leadership development program, we have a dedicated team member taking the lead on ongoing security improvements. This includes prioritising updates, securing the resourcing required to get it done and coordinating both our internal and external audits.
• We seek opportunities to improve and augment our data security stance. For example, each time we establish a master services agreement with a new customer or a new business unit within a customer’s organisation, it comes with its own set of requirements which may include specialised requirements around personally identifiable information (PII). Not only do we address those needs, but it prompts us to assess whether to operationalise those actions into our foundational ISMS as broader capabilities to benefit all our customers.
• We monitor the threat landscape. Our team reviews inputs such as new security alerts, regularly issued threat reports, coverage of critical breaches and cyberattacks to derive learnings and to assess for risk relevant to our business and our customers. Then we prioritise and take action to reduce both the risk and its potential impact.

This is just the tip of the iceberg of myriad aspects we’ve operationalised for our ISMS.  One year after ISO27001 certification, we are still just as vigilant, just as rigorous, and just as keen to continue to add levels of security to the way we engineer, manage and protect our customers’ data.