M-Insure is a tech organization that primarily focuses on digital health inclusion for India. They provide high-quality digital health solutions in easy steps to their clients and also, protect them from numerous threats with health insurance. M-insure delivers an all-round health care ecosystem with highly customizable services to their clients, backed by a strong and technically sound workforce. In terms of statistics, they are a strong and growing business spread across 25 states with 400+ E-clinics in India. Their digital business model has impacted over 70+ Lakh lives. Hence, it is essential for their business to be ISO 27001 certified.
Business Driver for ISO 27001
In this digital era, most IT companies are doing business across different countries and continents mainly by sharing information. The basic question that occurs is how safe is the information being handled by an organization.
The Information Security Management System (ISMS) should be standardized as it is a key business factor for using, storing, and transferring data.
Hence, the business driver for M-Insure behind achieving ISO 27001 certification was motivated by their management, and also demanded by their customers to secure information. M-Insure was keen on improvising its existing methods of operations and wanted to commit to continuous improvement of its practices in securing information.
So, they chose a proactive approach with a conscious decision to be certified under ISO 27001, as their information security processes were audited constantly. The top management of M-Insure took the initiative for the entire process and appointed a Chief Information Security Officer (CISO) to monitor and work in coordination with the CertPro team for the entire process of auditing and ISO 27001:2013 certification.
key phases of implementation
1. Defining the Certification Scope
The effective process analysis and document checks from CertPro enabled M-Insure to adopt a clear-cut framework with the essential steps required to get ISO 27001 certification.
The initial task was to define the scope of M-Insure’s Information Security Management System (ISMS) to understand its impact on other various subsets of their organization. Based on the scope determined it was decided to implement ISO 27001 for the whole organization to maximize their growth opportunities and business value through effective ways of storing, managing, and distributing data both internally and externally.
ISO 27001 in Australia
ISO 27001 in Singapore
ISO 27001 in Maldives
ISO 27001 in Philippines
ISO 27001 in South Africa
ISO 27001 in Mauritius
ISO 27001 in Kenya
ISO 27001 in Mozambique
ISO 27001 in Nigeria
ISO 27001 in Eqypt
ISO 27001 in Oman
ISO 27001 in Qatar
ISO 27001 in Bahrain
ISO 27001 in UAE
ISO 27001 in Saudi Arabia
ISO 27001 in Lebanon
ISO 27001 in Kuwait
2. Assessment of Risks
Using the assistance from CertPro in adopting the risk management process, M-insure conducted risk assessments for all their processes. While formulating the Information Security Management System (ISMS), M-Insure was able to update its available risk approach and improvise on the same. Using CertPro’s risk assessment tool M-Insure’s team gauged for controls, consequences, and similarities. The result observed was used to generate a risk register and formulate a risk treatment plan, where the policy or procedure showing the highest risk is treated with utmost priority. This plan was decided to be assessed every quarter to propel the remediation activities.
3. Policy Making and Process Development
The key step of ISO 27001 implementation is to prioritize and rationalize the organization’s policies related to information security. M-Insure already had a set of policies, some of which were not conforming to audit requirements. So, their first task was to rationalize and organize their policies internally.
The CISO (Chief Information Security Officer) took the responsibility of sharing key messages with the staff members through department managers. This made the process of checking and auditing very convenient. All the employees within the IT department were given training to understand and adapt to the ISMS policies in their work culture. Policy understanding exercises were conducted among all the departments of the organization that is dependent on ISMS. M-Insure had a mature approach to verifying its information security-related processes.
All their key processes such as recruitment, discharge, and asset management were following standard procedures but had minute discrepancies. The CISO made sure that those processes were marked as a priority to assign a task force on eliminating those problems and ensuring compliance. M-Insure as an organization was determined to improve its market position by raising the bar by deploying a consistent and robust Information Security Management System (ISMS), and so SOP (Standard Operating Procedure) formulation and formalization was a huge step in their implementation cycle.
4. ISMS Development
CertPro uses a 9-step methodology for guiding and training clients for ISO standards which are followed under the concept of Plan-Do-Check-Act (PDCA) for establishing continuous improvement. In this case of M-Insure, all the steps were followed to continuously review and develop its information security practices and Information Security Management Systems (ISMS). The senior consulting team of CertPro with their abundant knowledge and experience guided and trained the employees of M-Insure through the coordination of the CISO to develop and implement ISMS.
This included setting up annual objectives, internal and external audit reviews, incident report reviews, approval policy reviews, and awareness programs.
ISMS was applied to HR, Sales, Finance, Administration, and IT department.
Since M-Insure works mainly on customer data, information security objectives were set up, and also advised to be monitored and reviewed at regular intervals to add any updates that may seem important over time.
To secure sensitive information of clients, third-party companies having access to M-Insure’s data are also required to be compliant with ISO 27001.
ISMS implementation ensured that any process falling outside the prescribed way had to undergo a formal risk assessment process and then only be allowed to be involved in the business operations of M-Insure at any stage.
5. Audit Phase
An American Certification Body BQSR was suggested by CertPro. The certification body has very clear instructions for its clients. Based on the instructions, M-Insure had to undergo two levels of auditing, where they produced documents for verification in the Level 1 assessment, to determine their preparedness. And Level 2 assessment was to check the ISMS implementation and its successful compliance in all relevant processes and among all the employees.
value derived from certpro
1. Mastering the Information Security Practices
Already being aware of the importance of information security, M-Insure boosted its business functioning by adopting standard processes from ISO 27001. The employees have understood the importance of having a Clear Desk and Screen Policy. Physical access to sensitive areas has been tightened.
Methods of recruitment, training, and screening of candidates have been improved in the HR department. The overall functioning has been streamlined and secured with ISMS implementation. Access and user roles for information subsets and classes have been defined and restricted across the entire organization.
2. Building Information Security Culture
The training given by CertPro to the concerned employees of M-insure has made them understand the benefits of implementing ISMS. M-Insure now has an information security culture where they emphasize data protection, IT security policies, incident reporting, and making sure that information flow across the organization has mandatory security monitoring and controls.
3. Proactive Threat Identification
The ISMS architecture implemented for risk assessment has paved a path in the proactive analysis of cyber threats and any loopholes in the handling of information for M-Insure. Having such dedicated monitoring in place will increase the confidence of compliance teams in M-Insure to adequately address any upcoming threats. This will minimize the cost and time spent on such issues.
4. Assuring Clients & Market Advantage
ISO 27001 certification has enabled M-Insure to have a substantial advantage in their field of business while interacting with prospective clients. Their clients can now depend on them without worrying about safeguarding their sensitive information. This will benefit the organization in growing its business and being recognized globally.
” The vastly experienced team of consultants and auditors at CertPro, were able to provide advice and excellent guidance that was invaluable to us in achieving ISO 27001 certification. I was most impressed by CertPro‘s working method and their flexibility in understanding our organization and their ability to provide their service within the stated timeline. “
– Chief Information Security Officer, M-Insure
What is ISO 27001 Certification?
A system that defines specifications for information security, the basic framework of a set of policies, practices & procedures including regulatory requirements, physical, technical & administrative controls.
How to be GDPR Compliant?
An EU law to protect and secure the data of all individual citizens in EEA, privacy, and security on their personal data. This was mainly introduced on processing personal data of the EEA region individuals.
How to get an iso certification?
Here we have tried to guide our readers on How to get an ISO Certification without much hassle. We have tried to cover the different aspects that are important during ISO Certifications.
VAPT – EVIDENCE OF TECHNICAL SECURITY
What is VAPT, what are VAPT tools? What is the difference between VA and PT? How VAPT can be done internally, externally & by third party? What is black box VAPT, Grey box VAPT, and White box VAPT?