Aap3 achieve ISO 27001 certification
Aap3 have achieved their ISO 27001 certification, and if that doesn’t mean much to you, this is the article that will answer all of your questions.
If you’re not yet a security expert here’s a little refresher. The ISO 27001 is a standard of best practices for managing information security. This information security grouping of best practices has a risk-based approach and is technology-agnostic. It includes requirements on compliance documents, management responsibilities, internal audits, continual improvements, corrective and preventive action — all designed to best protect a company’s information assets.
Companies can elect to conform to the standard by meeting requirements, but can also go further and become ISO 27001-certified. In this case, an independent auditor is tasked with conducting an audit to assess whether a company meets the requirements.
We sat down with Aaron Featherstone our Technical Director and DPO at aap3, to find out what this certification means for us and our clients.
Can you tell us more about the audit — how is it carried out and who hands out the certification?
The audit is just the final step of a long process! It all started in 2018 when we decided to have our security practices meet the requirements of an existing standard. We chose ISO/CEI 27001 because it is so widely recognized.
First, we defined the objectives and scope of the project with top management; then we worked with all teams to implement policies, procedures and practices that would meet our security objectives.
Once all these elements were in place, we conducted an internal audit to make sure we were heading in the right direction and that we were ready to meet the certification requirements.
The internal audit went very well, so without further ado, we called on an external auditor to carry out the official certification. That’s when things got real.
What do you mean, things got real?
Well, first the auditor made sure our policies and procedures were in line with the requirements. This phase was more about documenting things. Then they visited our various offices to ensure the policies and procedures were being effectively implemented.
Finally, the auditor submitted their recommendation to a recognized certification body, which, based on the review that was carried out, gave us the official certificate.
Now that we are certified, can you speak about the main challenges of achieving certification?
There’s no denying it, achieving the ISO 27001 certification is a huge undertaking that involves everyone on the team and impacts all company practices.
It was particularly impactful because we wanted to meet all 133 security requirements in the southampton office. Thankfully, the entire team was wholeheartedly committed to this project, which meant we were able to undergo the transformation very quickly.
Another challenge of this type of project is the involvement of management. Getting certified is an expensive undertaking with high direct costs (mainly the cost of the audit and certification) and also major indirect costs (purchasing security solutions, recruitment, securing offices, shifting processes…) so it’s important to have the full support of top management.
The security of our clients’ data being one of our main priorities, this certification process was a no-brainer for management, which was committed and supportive every step of the way.
What does this mean for clients?
As you know, deployment models are evolving. For companies, the digital landscape has shifted from on-premise systems and applications to complex environments that rest on multiple third-party SaaS solutions and external cloud computing services.
Therefore, security risks are increasingly becoming transferred, and today it’s more important than ever for companies to trust that their vendors and services are safe.
With this certification, our clients can feel even more confident because it proves that aap3 has an information security management system in place that adheres to an internationally recognized standard and that it has been deemed effective by an in-depth independent audit.
Also, keep in mind that our client brands regularly audit their vendors and that this certification helps to facilitate this type of assessment.
Life after Certification
Now that aap3 has achieved the ISO 27001 certification, what are the next steps?
Indeed, achieving this certification is terrific news but we can’t stop there! The very essence of ISO 27001 is the continual improvement of systems, so getting certified is not the end of the road.
This is in fact part of the ISO 27001 certification framework, and the certification audit is followed by annual assessments to remain certified.