VoxSmart Achieves Accredited Certification ISO 27001
Utilising internal expertise, agile project management and employee awareness training are just some of the ways VoxSmart CTO Oliver Rooney lead the business to achieve ISO 27001 certification. Read on as he explains how achieved certification and why ISO 27001 is important to our business and our customers.
by Oliver Rooney
on 31st October 2018
IM Capture
Product Brochure
Credit: Will Coltart
When I joined VoxSmart as CISO nearly 18 months ago, my top priority was to formalise the management of information security. We had a number of strong controls in place that met or exceeded industry standards, but the controls operated without the necessary oversight and governance by top management that is needed to ensure controls are aligned to the business’s strategy and risk appetite.
I am very pleased to announce today that we have achieved accredited certification to ISO 27001 following a process of assessment by Lloyd’s Register Quality Assurance that started late last year.
ISO/IEC 27001:2013 is an international standard for operating an Information Security Management System that is recognised globally as being best practice. It requires organisations to put in place the necessary management processes to define, operate, monitor and continually improve the required information security controls. Our certification means that we have an independent certification that VoxSmart meets the requirements of the standard and the certification comes from an accredited organisation that you can trust. The certification lasts for three years and we will be assessed for continued compliance every six months
The certification of our ISMS is an important milestone because it means that VoxSmart have the focus of senior management on information security, our ISM is lead by a Security Steering Committee of the CEO, COO and CTO. We meet quarterly to review risk assessments, changes to the regulatory landscape, new customer requirements and prioritise actions to ensure that we continue to meet our security objectives.
Our ISMS is built on the globally recognised best practice controls from ISO 27001 and ISO 27017, giving us a powerful and effective framework to ensure that we implement necessary protections for our customers’ data, and our own. More important than the controls themselves is the commitment to continual improvement and the toolbox of processes the standard supplies to help us achieve it. It is this cycle of setting objectives; planning the concrete actions, allocating resources; checking progress and verifying completion of activities; and responding to emergent conditions and changes that is so powerful that we have applied it to other areas in the business as a standard management approach.
Building and certifying our ISMS has been a year-long project that has brought benefits to every area of the business from HR on-boarding processes for new hires, through to the most technical aspects of the Software Development Lifecycle. Most of these improvements are not part of what people would normally expect to fall into the remit of information security as they touch on basics like record keeping but also bigger-picture items like Business Continuity Management. One of the most rewarding parts of the process is the increasing awareness of the importance and benefits of Information Security Management for business and also personal lives of everyone at VoxSmart, like raising awareness of the importance of not reusing passwords and the benefits of multi-factor authentication, something that people apply to their own social media and online banking accounts and pass this advice on to their family.
While the focus of ISO 27001 is rightly on the management system, as the standard needs to be applicable to large and small organisations, and ones with varies risk appetite and threat landscape, there are numerous controls that we have worked on during the project to reduce risk and we have made the most of the agility possible in small teams to make improvements in many areas including implementing new network and host-based intrusion detection, upgrades to web application firewalls, new centralised cloud-based endpoint controls, endpoint and network-based data-loss prevention systems, internal weekly vulnerability scanning and implementing FIPS 140-2 level 3 HSM for TLS private key storage, to name a few.
Clearly a project of this size could not be completed without a talented and experienced team and I am very grateful to our team and the efforts everyone has put in. We are also in a great position with information security experience across technical teams covering years of experience in PCI-complaint environments, SaaS providers, cloud security architecture, security management and vulnerability management.