Managed security and compliance (ISO 27001, etc.)

1
Implementation of ISO 27001 standard for a Norwegian company

We were approached by a Norwegian company that develops extensions for Microsoft Office products and services, requesting help to comply with the international security standard ISO 27001. The company's customers were concerned about security: how safe is it to store personal data in the extensions, what data is stored, etc. To meet the growing customer demand for the security of their solutions, the company decided to implement the ISO 27001 security standard.

In the process of selecting a supplier, they turned to several companies that implement this standard, and in terms of price-quality ratio, they chose our company, after thorough negotiations. We gave an informative presentation and held several calls, during which we explained our competitive advantages and our comprehensive systematic approach.

We conducted a gap analysis at the client's head office (Oslo, Norway), during which all the controls of the ISO 27001 standard were checked and gaps were identified. These gaps were present because the company is small and many processes, in IT and other domains (operational processes, physical security, etc.), did not reach the ISO 27001 level.

Next, we developed an implementation plan and began implementing the standard. During the implementation phase, we developed several dozen information security policies and processes. For instance, we adjusted the hiring and termination process, as a result, the IT department now promptly learns about the hiring and firing of employees. This allows them to create and delete accounts with the minimum necessary privileges. New employees now receive basic training in information security and more specialized training in the process.

Also, information security requirements have been introduced into projects. When developing projects, information security issues are taken into account, a risk analysis is carried out and all other requirements of the ISO 27001 security standard are met.

Usually in other companies, analyzing interactions with third parties is a separate big job. Here, this work was minimized, since only Microsoft products and online services are used for all purposes, and Microsoft has a full set of security certifications, including ISO 27001, VDA ISA, SOC 2, etc.

The new documents were approved smoothly, without unnecessary formalities or bureaucracy. Then, the employees received training, and the policies began to work.

After the implementation process was completed, we proceeded to select an independent certification auditor. Here we ran into difficulties caused by the very slow response of the auditors. Perhaps this was due to quarantine or seasonal peaks. We waited for a response from one of the auditors for several months and didn't get a response from the second one at all. Therefore, we found a third audit company, which is a representative office of a German certification body accredited by DAkkS.

As a result, the client successfully passed an independent audit and received an official ISO 27001 certificate.

2
Implementation of ISO 27001 and ENX TISAX® in a company that develops automotive systems

We were contacted by a representative of the German automotive industry. They urgently needed to be certified that they comply with ISO 27001 and the ENX Trusted Information Security Assessment Exchange (ENX TISAX®). High competition in the automotive systems market (security, piloting, navigation, entertainment systems, etc.) forces leading car manufacturers and their contractors (Volkswagen-Audi Group, Porsche, Daimler AG, BMW, Bosch, etc.) to rush the launch of new products to market while maintaining the same high levels of quality, safety and security. This is why our client was highly motivated.

Prior to this, the client had tried to fill in ENX TISAX® compliance forms themselves, but a lack of the necessary competencies did not allow them even to begin the implementation process properly.

ENX TISAX® compliance, although based on ISO 27001, has its specifics. For example, unlike an ISO 27001 audit, which can take several days, a ENX TISAX® auditor spends only one day at the customer's office, but then it takes about 3 months to collect the pieces of evidence for each security process. ENX TISAX® audit reporting process implies a high degree of automation using modern GRC (Governance, Risk management, and Compliance) systems.

During the first 3 months after signing the contract with our client, we thoroughly studied their business processes and developed about 50 documents necessary for compliance with ISO 27001 and ENX TISAX®. During the implementation and audit reporting, we used Redmine and Goriscon systems.

It took 6 months of intense collaboration between our consultants and our client's employees from the start of the project until the day they received the ENX TISAX® compliance label. We conducted several training sessions, performed a series of server and application security assessments, strengthened the network security, system life cycle security, implemented risk management, security key performance indicators (KPI), change and incident management processes, etc.

Implemented processes, operations, and security systems must be constantly maintained so as not to lose effectiveness. Therefore our client ordered the ‘Remote Information Security Manager’ service from us. We have continued to conduct regular training sessions with our client, monitor information security events, respond to security incidents, perform quarterly vulnerability scans, audit software source code, report to our customer's auditors and clients, etc. That is, to fully perform the functions of an information security manager.

Improved security was not the only thing out customer got as a result of this project. During the asset management and technical vulnerability assessment, we discovered ineffective use of systems, such as redundant access, configuration errors that reduce network performance, etc. As a side effect of the project, the customer optimized some of their IT operations.

Achieving the official compliance status with ISO 27001 and ENX TISAX® allowed our client to get new, long-term contracts from one of the giants of the German automotive industry.

Learn more about VDA ISA and ENX TISAX®.

3
Implementation of ISO 27001 in a medical software company

A small software company was required by their customers to be certified according to the ISO 27001 standard. Moreover, the certification body had to hold the highest international accreditation level, which is UKAS.

Previously, the company took only superficial measures and performed only occasional works related to information security, and only in the field of server and workstation protection. We immediately began working on the scope analysis, and outlining the work plan of the initial audit and gap analysis. We performed this work for the client for free. After that, the company saw that we were competent in such challenges, and could build realistic plans. Therefore, they signed a contract with us for an audit, gap analysis, and development of an implementation plan. After 3 weeks, we completed this work. The customer was once again convinced that our experience and speed exceeded their expectations.

After that, the customer signed an agreement with us for the implementation of ISO 27001. Six months later, we developed all the controls required by the standard, described them in 18 policies and procedures, implemented several security management registers, and conducted staff training. We paid particular attention to the secure software development life cycle.

Then the question of choosing an independent auditor arose. We recommended one of the largest German auditing firms to our client. We also contacted this auditor, held a discussion with them and prepared them for the certification of our client in advance. The client and the auditors signed an agreement for audit and certification.

During the audit, we defended our client and the information security management system that we had built. The auditors made minor comments, as they usually do. We took these comments into account, made corrections, and 2 weeks later our client received an official certificate of ISO 27001 compliance.

To support the implemented system and renew the certificate annually, the company subscribed to our ‘Virtual CISO’ service.

Our client was pleased with our competency in security process management, so they were also interested if we could provide IT security services. The company ordered the following services from us: application securitysource code security analysis and penetration testing of their software products.

The company obtained the certificate stating that they were compliant with ISO 27001 and that they had successfully passed the security assessment. They published the certificate on their website and used it in marketing materials. The company advertised its new status and gained significant competitive advantages, which increased the number of orders and sales.

Learn more about ISO 27001.