With more and more business done digitally, digital security is on the front burner for every business. High-profile cybercrime costs large companies millions or even billions of Euros, while smaller companies often never recover.
But businesses usually outsource their digital transformation, especially when the business isn’t IT-focused or large enough to outfit a full-time IT squad.
Whether they know it or not (and they should all know it), they are imparting massive trust on these third-party companies. If they don’t pay attention to data security, the client company is the one at risk of losses and even closure in the event of a data breach.
One of the best ways third-party IT companies can earn the trust of their prospective clients is to become ISO-certified. We are talking with key stakeholders at Bright to get their candid take on their experiences with ISO 27001 certification.
In 2017, Bright IT as well joined the ranks of ISO 27001 certified agencies in Austria. “It makes us much more trustworthy in customers' eyes,” Dr. Tomasz Strumiński, our Head of Development, emphasizes.
The certification in question pertains to ISO/IEC 27001, an international standard of information security management promulgated by the International Organization of Standardisation (ISO) and the International Electrotechnical Commission (IEC).
According to Bright’s CEO, Klaus Unterkircher, the importance of ISO 27001 certification is that “unproven promise becomes an objective assurance for customers and partners.”
Meeting the standard requires the creating, implementation, and maintenance of an information security management system (ISMS) that helps businesses and organizations secure their valuable information assets and digital activity.
“In IT, when we talk about information security, we usually mean, at least, confidentiality, integrity, and availability. Think for a second about any of your online activities,” Tomasz Strumiński explains further. “Wouldn't you expect all the mentioned aspects of information security to be in place? When you realize that, you realize that information security is an inherent element of anything we launch over the Internet.”
ISO certification usually requires an audit of current controls and the integration of those controls, plus any required additional controls, into an ISMS that is then subject to ISO 27001 certification review by ISO and IEC.
Despite being an IT firm, Bright chose to hire a third-party consultancy, experts in the field of ISO certification, to perform the audit and make recommendations in advance of their ISO 27001 certification review. Conceived in 2016 and completed in 2017, Bright’s ISO certification process spanned several months.
“We did have a series of training, we did also have hands-on experience in applying the ISMS implementation ourselves,” Tomasz Strumiński remembers. “Additionally, throughout the whole process, we have used help from specialized consulting partners.”
Getting the team of 25 to buy into the change presented some challenges. “I wouldn't expect our ISO training to be the most favorite exercise for anyone in our team,” Klaus Unterkircher admits, “but overall most people probably get why we do this and see the benefits.”
“Initially we saw some backlash when we announced the certification process,” he continues, “but we addressed it by making it as transparent as possible.”
Another aspect mentioned by Klaus Unterkircher is that “on client-side, it makes it so much easier to trust for processing sensitive information.”
Their certification came well ahead of time. In 2018 the European Union passed the General Data Protection Regulation (GDPR), also known by its German name Datenschutz-Grundverordnung (DSVGO).
“One of the requirements of ISO is that you need to be in line with all legal regulations, Tomasz Strumiński highlights.
This law imposed new data protection standards on companies like Bright … but thanks to the ISO certification process, Bright found itself in compliance with the new rules already.
“We were already certified when the GDPR popped up as a possible issue,” Klaus Unterkircher notices. “We quickly learned that the ISO certification made us fully ready for the GDPR and you can imagine how happy we were about having taken the investment earlier.”
“Thanks to that, we have thoroughly audited our approach to personal data — no matter if it is our employees, our clients or our client's clients,” Tomasz Strumiński adds.
The effort was also proved to be a timely investment in brand trust when the new EU rule shined a light on the issue. “GDPR, in particular, has increased awareness and end-users are more sensitive to data privacy and protection ever since it was introduced,” Klaus Unterkircher explains.
Bright endured minor disruptions in their normal course of doing business, including challenges to adapt their corporate culture to the new regime.
“We try to keep things informal where we can,” Klaus Unterkircher says, “so adopting new rules and processes has to be done in a way that does benefit our organization but not destroy its spirit.”
Additionally, taking on the challenge of ISO certification changed the way Bright interacted with clients.
Anna Machalska, ISO Representative at Bright makes clear that “ISO requires that information security rules are respected by both us and our customers. So sometimes we need to not only control ourselves but also check if our customers are compliant with ISO and GDPR and ask them to pay more attention to that.”
“It did add some work, but once it's done regularly it's not such a big effort,” Anna Machalska assures.
And the rewards have been worth it. Bright started the internal conversation about ISO certification when they began to pursue clients that required that extra level of competence with data security.
“In theory, it should matter equally to all clients,” Klaus Unterkircher says. In practice, larger companies, B2C companies, and government-regulated industries tend to care the most about working with ISO-certified vendors like Bright.
Adopting new rules and processes always carries with it the risk that it will bog down the creative process—especially if, like Bright IT, the firm depends on agile, the popular methodology of rapid, iterative development and deployment.
For Bright, those concerns proved to be unfounded. The newly-adopted ISMS presented no impediment to their agile process.
“Smart people like to be well organised in areas that are not within their 'creative zone,'” Klaus Unterkircher confirms. “Good processes can help focus on what really matters.”
“It's like having good manners,” he continues. “It never goes out of fashion and you can still be cool.”
The ISMS also proved to be an invaluable training tool. Bright had reached the stage in its growth where it required a streamlined process of onboarding new hires. A clear ISMS was invaluable in training new hires in the data security practices it would require to remain ISO-compliant—and be good stewards of client data
Another area that the ISO certification process has helped Bright is risk management. Their ISMS introduced a risk assessment and treatment methodology, including a risk monitoring tool, the creation of a Risk Team that meets regularly, and delegation of some responsibilities to specific Risk Owners.
The ISMS also establishes a clear workflow for repetitive, boring tasks that remain nonetheless essential to data security.
So based on their experience, what tips does Bright have to offer organizations considering ISO certification?
“Do it with the right intentions and do it properly. Otherwise leave it,” Klaus Unterkircher suggests. “And make sure you focus on solving problems and not on creating a formal process monster for your team. Pick the right people to assist with the certification.”
“Don't rush with the implementation,” Tomasz Strumiński adds. “Try to come up with the process that suits your company best.”
Ultimately, though, for the business upsides and the peace of mind, Bright IT is glad they obtained ISO certification.
“We have always put quality and trust on the top of our priorities in how we work and deliver,” Klaus Unterkircher summarises.