“There are many consultancies providing similar services out there,” says Phil, “but our consultants have a different skill set and ethos. They not only have advanced technical knowledge, they also have the business and management skills to ensure their recommendations are practicable and sustainable for our clients.”
As Phil puts it: “This means that our work strengthens business resilience for our clients not just from a technical standpoint, but from a financial perspective too.”
Not only is Prism Infosec certified to the UK Government’s Cyber Essentials Plus scheme but also a certifying body, so they can offer certification services to their clients too. This scheme independently verifies that their workstations and internet connectivity are set up securely to the standard defined by the National Cyber Security Centre.
“We fully buy into the concept of third party assessments which help build a much more robust business. So, we set ourselves the challenge of gaining ISO 27001 Information Security Management Systems certification,” says Phil."
“This is obviously more challenging than Cyber Essentials, so we decided to bring in outside expertise to provide an independent view of our own security and assist with the development and implementation of the management system, without affecting the high standard of quality we provide to our own clients.”
They turned to Charmwood Risk Management, a member of the Alcumus ISOQAR Independent Associate Network (IAN) of ISO consultants.
Founder and MD Anthony Matthews says: “We talked through the motivation with Prism Infosec to go on this journey and Phil was quite clear that implementing ISO 27001 would bring discipline to the systems they use to protect their clients’ data, and getting certified would demonstrate that they can be trusted to practise what they preach.”
Talking of his role in supporting Phil and his team, Anthony says: “Obviously they already have a lot of technical knowledge in-house as they’re leaders in the field. But ISO 27001 is as much about how you approach information security from a management perspective, how you develop the policies and procedures and embed the audit approach into your culture.”
It was a combination of this foresight and also good fortune that Prism Infosec implemented ISO 27001 and were certified just a matter of weeks before the Covid-19 lockdown. We asked Phil a few questions about this.
WHAT HAVE THE PRACTICAL BENEFITS BEEN?
It’s meant we’ve been fully prepared in our IT management and business continuity planning. It definitely helped in building our resilience to the pandemic.
As part of the process, we developed a robust set of internal information security policies. Our overall management of IT and documentation has improved.
We’ve also taken further steps to ensure we have a more mature and robust information security management system within the organisation.
WHAT ARE YOU DOING DIFFERENTLY/BETTER NOW THAT YOU HAVE ISO 27001?
Through implementing ISO 27001, we have overall developed a more formal approach to IT systems management.
We’ve also centralised IT security management given the unique architecture and structure of the organisation.
But I can’t give too much away here given the nature of our business!
HOW HAS IT HELPED HOMEWORKING?
The management system instils discipline and rigour in how you plan things. So, it ensured that we had fully thought through all the risks associated with a potential disruption to standard working as business as usual and that we’d improved our disaster recovery planning.
WHAT WERE THE MAIN CHALLENGES?
Given the size of our organisation, ensuring all of the plan was implemented in time for our audit!
HOW DO YOU THINK ISO 27001 HELPS BUILD BUSINESS RESILIENCE / CONTINUITY?
The planning process for ISO 27001 ensures that business resilience and continuity is a primary consideration for the organisation, and that has proven invaluable. You also need a roadmap in place to review arrangements and to ensure that planning and testing is in line with international best practice. It gives confidence to all stakeholders including staff and clients.