BUSINESS DRIVER FOR ISO 27001

In this digital era, most IT companies are doing business across different countries and continents mainly by sharing information. The basic question that occurs is how safe is the information being handled by an organization.
The Information Security Management System (ISMS) should be standardized as it is a key business factor for using, storing, and transferring data.

Hence, the business driver for M-Insure behind achieving ISO 27001 certification was motivated by their management, and also demanded by their customers to secure information. M-Insure was keen on improvising its existing methods of operations and wanted to commit to continuous improvement of its practices in securing information.

So, they chose a proactive approach with a conscious decision to be certified under ISO 27001, as their information security processes were audited constantly. The top management of M-Insure took the initiative for the entire process and appointed a Chief Information Security Officer (CISO) to monitor and work in coordination with the CertPro team for the entire process of auditing and ISO 27001:2013 certification.

KEY PHASES OF IMPLEMENTATION

Defining the Certification Scope:

The effective process analysis and document checks from CertPro enabled M-Insure to adopt a clear-cut framework with the essential steps required to get ISO 27001 certification.

The initial task was to define the scope of M-Insure’s Information Security Management System (ISMS) to understand its impact on other various subsets of their organization. Based on the scope determined it was decided to implement ISO 27001 for the whole organization to maximize their growth opportunities and business value through effective ways of storing, managing, and distributing data both internally and externally.

Assessment of Risks:

Using the assistance from CertPro in adopting the risk management process, M-insure conducted risk assessments for all their processes. While formulating the Information Security Management System (ISMS), M-Insure was able to update its available risk approach and improvise on the same. Using CertPro’s risk assessment tool M-Insure’s team gauged for controls, consequences, and similarities. The result observed was used to generate a risk register and formulate a risk treatment plan, where the policy or procedure showing the highest risk is treated with utmost priority. This plan was decided to be assessed every quarter to propel the remediation activities.

Policy Making and Process Development:

The key step of ISO 27001 implementation is to prioritize and rationalize the organization’s policies related to information security. M-Insure already had a set of policies, some of which were not conforming to audit requirements. So, their first task was to rationalize and organize their policies internally.

The CISO (Chief Information Security Officer) took the responsibility of sharing key messages with the staff members through department managers. This made the process of checking and auditing very convenient. All the employees within the IT department were given training to understand and adapt to the ISMS policies in their work culture. Policy understanding exercises were conducted among all the departments of the organization that is dependent on ISMS. M-Insure had a mature approach to verifying its information security-related processes.

All their key processes such as recruitment, discharge, and asset management were following standard procedures but had minute discrepancies. The CISO made sure that those processes were marked as a priority to assign a task force on eliminating those problems and ensuring compliance. M-Insure as an organization was determined to improve its market position by raising the bar by deploying a consistent and robust Information Security Management System (ISMS), and so SOP (Standard Operating Procedure) formulation and formalization was a huge step in their implementation cycle.

ISMS Development:

CertPro uses a 9-step methodology for guiding and training clients for ISO standards which are followed under the concept of Plan-Do-Check-Act (PDCA) for establishing continuous improvement. In this case of M-Insure, all the steps were followed to continuously review and develop its information security practices and Information Security Management Systems (ISMS). The senior consulting team of CertPro with their abundant knowledge and experience guided and trained the employees of M-Insure through the coordination of the CISO to develop and implement ISMS.

This included setting up annual objectives, internal and external audit reviews, incident report reviews, approval policy reviews, and awareness programs.
ISMS was applied to HR, Sales, Finance, Administration, and IT department.
Since M-Insure works mainly on customer data, information security objectives were set up, and also advised to be monitored and reviewed at regular intervals to add any updates that may seem important over time.

To secure sensitive information of clients, third-party companies having access to M-Insure’s data are also required to be compliant with ISO 27001.
ISMS implementation ensured that any process falling outside the prescribed way had to undergo a formal risk assessment process and then only be allowed to be involved in the business operations of M-Insure at any stage.

Audit Phase:

An American Certification Body BQSR was suggested by CertPro. The certification body has very clear instructions for its clients. Based on the instructions, M-Insure had to undergo two levels of auditing, where they produced documents for verification in the Level 1 assessment, to determine their preparedness. And Level 2 assessment was to check the ISMS implementation and its successful compliance in all relevant processes and among all the employees.

VALUE DERIVED FROM CERTPRO

Mastering the Information Security Practices:

Already being aware of the importance of information security, M-Insure boosted its business functioning by adopting standard processes from ISO 27001. The employees have understood the importance of having a Clear Desk and Screen Policy. Physical access to sensitive areas has been tightened.

Methods of recruitment, training, and screening of candidates have been improved in the HR department. The overall functioning has been streamlined and secured with ISMS implementation. Access and user roles for information subsets and classes have been defined and restricted across the entire organization.

Building Information Security Culture:

The training given by CertPro to the concerned employees of M-insure has made them understand the benefits of implementing ISMS. M-Insure now has an information security culture where they emphasize data protection, IT security policies, incident reporting, and making sure that information flow across the organization has mandatory security monitoring and controls.

Proactive Threat Identification:

The ISMS architecture implemented for risk assessment has paved a path in the proactive analysis of cyber threats and any loopholes in the handling of information for M-Insure. Having such dedicated monitoring in place will increase the confidence of compliance teams in M-Insure to adequately address any upcoming threats. This will minimize the cost and time spent on such issues.

Assuring Clients & Market Advantage:

ISO 27001 certification has enabled M-Insure to have a substantial advantage in their field of business while interacting with prospective clients. Their clients can now depend on them without worrying about safeguarding their sensitive information. This will benefit the organization in growing its business and being recognized globally.