I've just spent three days supporting a client through their first ISO27001 surveillance audit - and it was a blast!
18months ago I had a call from a very stressed CTO who had been trying (and failing) to create and implement an ISO27001 information security management system. He was up against a contractual obligation and although this particular client has superb technical security knowledge and implementation, documenting policies and following processes was most definitely counter culture.
To be honest, this is one of my dream clients. Security is in their DNA as they deliver cloud based services to customers demanding high security for their data. And the team are world leaders in what they do. But the detail and definition of appropriate security policies and procedures was really difficult for them to define.
Embedding myself in their team and procuring the right tools was a good start. As a firm believer in 'doing with' rather than 'doing to' - topped up with a healthy dose of 'how can this help the business grow and develop', collaboration and guidance was the order of the day. It was not easy - and as always with ISO27001, at times it felt interminable. But the tool we used (ISMS Online) includes a %completion tracker, actions kanban and automated 'to do' reminders which kept us going (that and copious amounts of coffee!).
The proof was in the pudding. We sailed through the stage one audit and within six months completely certified with no non-conformaties or opportunities for improvement.
So how did the surveillance audit surpass our expectations too? Well, the first few months of this year were spent recruiting a permanent resource that would be responsible for day to day information security. Another sign of the leadership commitment. And then with maintenance support and advice from me, we focussed on how to mature and improve the approach. Even though the auditor couldn't find anything to recommend, the company was keen to streamline, automate and mature as much as possible.
Fast forward to the end of November 2023 and the surveillance audit was upon us. Again we raced through with no non-conformities and no opportunities for improvement. This is not a case of gold-plating their security or of presenting a particularly positive case to the auditor. The company has grown significantly this year and used that as an opportunity to mature processes and update policies to meet their requirements and culture.
At RTG Commercial Services we pride ourselves on offering high quality services that relieve the burden on busy businesses of protecting their data. All of our services are tailored to meet operational requirements and take away the strain so that busy businesses can focus on their core sales and profits. If the story of my client CTO chimes with your feelings about security, why not take a look at our website and see what we offer? A great place to start is our Security Healthcheck which is currently being offered with a £500 saving! This deep dive into all of your security operations and provides actionable insight into where you can improve your security posture. It is easy to book a free initial call so we can work out how to take that effort off your shoulders and onto ours - use this link to book a time and feel better today!
Oh, and what made this a contender for best surveillance audit ever? The final comment from the auditor: