BUSINESS DRIVER FOR ISO 27001 & GDPR

Maukaa’s desire to implement the best practices in their business with regard to ensuring the confidentiality, integrity, and availability of information and supporting information assets was the primary motivation for pursuing ISO 27001 certification. As Maukaa works with data that originates from different parts of the world, it is, therefore a necessary advantage to be compliant with the General Data Protection Regulation. Maukaa as an organization recognized the significance of implementing a continuous improvement plan and safeguarding both its clients’ data and its own reputation with Information Security Management System (ISMS) and GDPR compliance. Obtaining ISMS and GDPR accreditation would be the most effective and practical way of demonstrating how seriously Maukaa takes information assurance both internally and outside. The CEO of Maukaa took the initiative to implement the two-certification process for the organization and ensure the availability of manpower with a dedicated timeline for the same.

KEY STAGES

1. Partnering with CertPro: 

Maukaa was adamant about owning the development and implementation of the two frameworks, but they wanted to use the services of a consultant and training firm that had expertise in helping companies achieve ISO 27001 and GDPR certification.

The CEO of Maukaa came across CertPro’s website while surfing the internet for the best ISO consultant in India, when he got in touch with CertPro, he decided to proceed further as he was impressed by the company’s client-centric and flexible approach, as well as CertPro’s willingness to make both the certification process fit the organization. 

At the commencement of the certification program, CertPro’s expertise & knowledge and training skills were put to good use with a high-level presentation to Maukaa’s CEO, describing succinctly and effectively the major steps and resource implications of certifying for ISMS and GDPR. The high-level overview was followed by a five-week bespoke training package that introduced essential information security management and personal data protection concepts detailing critical areas for successful implementation.

­­­Maukaa­ took on more responsibility as the project progressed and reached its final stages, but they always valued CertPro’s availability and willingness to offer counsel and direction. The consultants at CertPro were very helpful in preparing Maukaa for the Stage 1 and Stage 2 assessments and ensuring that all of the external assessor’s requirements were met.

2. Initiation:

The Chief Information Security Officer (CISO) role was taken up by CEO himself, and presented as a Single Point of Contact (SPOC) and was responsible for implementing the requirements of the certification process by organizing and ensuring all tasks were completed on time.

The CISO describes the certification process as, “settling on the scope of implementing and being compliant with ISO 27001 & GDPR took a lot of discussions (facilitated by CertPro) and consideration and there was an agreement that the scope should be tightly tied to our company objectives and ambitions”.

There was also no question that ISO 27001 along with GDPR compliance would be the best fit for the component of Maukaa’s business that focuses on providing key services to managed customers while also securing their data. Accordingly, CertPro was committed to ensuring that all Maukaa benefited from the understanding of the relevant policies, processes, and awareness training that were implemented consistently across the organization.

3. Risk Assessment:

While Maukaa had embraced risk-based techniques across their projects there were no official information security risk or data privacy assessments that had been done. The active participation of the management team in the risk assessment was a positive feature, as CISO notes, “ensured an iterative process was followed with much debate and discussion around risk appetite and what risk was acceptable.” The end result was a risk treatment plan that was approved and helped prioritize different risk treatments which fall within the purview of ISO 27001 and GDPR”. Therefore, Maukaa considered the risk assessment process informative and effective with the help of CertPro’s consultants.

4. Policy:

Despite the fact that certification was limited to infotech departments, Maukaa was always determined to ensure that all employees benefited from the program and that any rules and practices were adopted consistently and comprehensively throughout the company in the coming days. Maukaa initially did not have any set of information security policies and practices prior to beginning its ISO 27001 certification and GDPR compliance program. This required Maukaa to establish an integrated management system to smoothen the flow of implementing the two frameworks without any delays or confusion. However, policies and practices were amended on the advice of CertPro’s experienced consultant team as a result of the risk assessment process.

SUCCESS FACTORS

1. Communication:

Maukaa maintains a close-knit, family-oriented work environment. Effective internal communications are one of their special capabilities. As a result, when it came to establishing the ISO 27001 & GDPR program and conveying the necessity of information security, Maukaa did so in its usual energetic, humorous, and inventive manner. They emphasized communicating the good practices such as the incident reporting process in ISMS & GDPR.

2. Commitment by CEO:

The CEO’s support and participation are critical to the effective implementation of ISO 27001 & GDPR. He gave full support after determining the importance of being compliant with the standards that focuses on producing acceptable solutions that are completely compatible with Maukaa’s business objectives.

VALUE DERIVED FROM CERTPRO

1. Validation:

The certification’s scope was established with regard to infosec and data privacy law, which was always considered a company-wide issue that would benefit all employees. Following the company’s implementation of ISMS and GDPR, with a series of internal presentations and awareness, the interested parties of the organization became much more conscious of the need for information security, as well as the potential consequences if information, particularly customer data, was compromised.

2. Improved Business Mechanism:

The CEO, on the other hand, proposed to build an in-house dedicated incident reporting mechanism that was integrated into the corrective and preventive action process based on the opinion by the senior consultants at CertPro, following the continuous improvement ‘Plan-Do-Check-Act’ paradigm supported by ISO 27001 and GDPR. Maukaa has already witnessed the benefits of having more infosec-related occurrences, which has resulted in several strengthened information security controls, such as tightened physical access rules for guests.

3. Happy Clients and Business Potential – Worldwide:

Maukaa has also formalized its supplier and customer review process, particularly for its important vendors. It has established a more methodical assessment of the client’s policies and processes, including tape backup methods and the employment of suitable background checks on key supplier workers while maintaining a close working relationship with its suppliers. Maukaa has also pushed vendors that are not certified to ISO 27001 to obtain certification or at the very least comply with the Standard. Similarly, abiding by the GDPR law in their work mechanism has paved an effective platform for Maukaa to compete in the global market with an added advantage over competitors. Being compliant with GDPR and ISMS enables Maukaa to gain the trust of its clients and expand its business to different parts of the world today!