A year ago, we blogged about Data Security as a Practice. Since then, we have continued the practices we talked about there, integrating it even further into our daily practice, and incorporating new processes and aspects into our existing cadence. We have continued to teach and learn by assessing new risks, taking on-board new approaches and evaluating new technologies.
Seven months ago, we started on a journey to international accreditation of our Information Security Management System. We started by pulling together our existing controls and processes and aligning it with a certification standard. Our management team collaborated to define strategic alignment, goals and the context of the organisation in relation to information security. We included the entire BizCubed team in risk assessments because we know that drawing on diverse perspectives and experiences leads to better outcomes.
Six months ago, we passed our Stage 1 Audit with flying colours, but of course there was still a lot of work to do. The Stage 1 audit simply checked that our system framework was established and defined. Next we had to demonstrate that it was a living entity, not just a blueprint for a future state.
So we dug further, documented more, got into the nitty-gritty of 114 information security controls and conducted an entire information system internal audit from top to bottom. We incorporated it into our cadence: every day we identify any client feedback related to security; every week we review new risks; every month the management team reviews information security trends and aspects across the business.
And it was exciting.
Just over a month ago we had our Stage 2 Audit. It was an intense few days, and again a great result. We had many participants across the organisation: senior managers, senior data engineers, service delivery data engineers, and the CEO.
While much of what we do now we did before, the entire system has been reinforced and is significantly more robust. It’s also clear to everyone in the company how important information security is, and we all actively participate in it every day. It is core to our business, it is critical to our customers, and it is key to our overall business strategy and vision.
A few short weeks ago we received the ISO27001 certification, the culmination of this work – or rather, a celebration of this work, because this of course is not the end of it. From here, we will continue as we always have, practicing data security as a daily norm, continually improving, making better decisions every day.
About the Author
Rebecca Zeus is Co-Owner and Enablement Manager at BizCubed. A chemical engineer by training and a Lean Six Sigma Blackbelt, she has built a reputation as an expert in process design and implementation. Most recently, she led a company-wide initiative to formalise and certify BizCubed’s Information Security Managment System. She is also a mother of four, a school volunteer, a non-profit board member, and a crafting-enthusiast.