Recently, walterwakefield achieved ISO 27001 certification, and the truth is, we are incredibly proud of it – we want to shout it from the rooftops and tell everyone. Instead of making this a post bragging about our achievements, we would like to share some pragmatic, actionable insights on cybersecurity certification, data privacy, and ISMS best practices.
That way, we’re living up to our other certification, B Corp, which means we’re a force for good. By sharing some of the hard work we’ve put into our ISO certification and cybersecurity processes with the community, we’re making a positive impact.
If you’re not already taking some of these steps, you will be infinitely more secure if you start now. Please note that although our cybersecurity posture and practices are in good shape, we are not professional consultants in cybersecurity. At the end of this article, two companies are and can help in this space.
I know, it’s boring, but everything starts here. First, you write the cybersecurity policies and data privacy guidelines, then you implement and measure them. We’re all about action, but you can’t act unless there are clear guidelines. Audit your existing policies related to cybersecurity, data retention and privacy.
The Information Security Management System (ISMS) serves as a central repository for items such as the risk register, cybersecurity policies, security controls, and roles and responsibilities, bringing them all into one system.First, choose the platform for your ISMS. You probably already have something suitable in place, and you don’t need a purpose-built ISMS platform. Essentially, it should be a platform that can host a repository of documents and checklists and can assign ownership and responsibilities, which is also an important feature. In our case, we had to choose between SharePoint and Confluence. An ISMS consists of the following:
a) Risk register in cybersecurity
This risk register in cybersecurity is a central log of all identified risks to your organisation’s information security and data privacy.
For each risk, document a clear and concise description, the risk owner, the likelihood of the risk occurring, the potential impact if it does occur, and the controls in place to mitigate it. By regularly reviewing and updating your risk register, you ensure that you proactively address potential threats rather than reacting to incidents after they occur.
b) Security controls for data privacy
These security controls for data privacy and cybersecurity are the specific measures, both technical and non-technical, that your organisation implements to protect its information assets.
Examples include firewalls, access controls, data encryption, regular security awareness training for employees, and physical security measures such as locks, cameras, and alarm codes. Your security controls should directly address the risks identified in your risk register, demonstrating how you are actively mitigating threats to your data and systems.
c) Roles and responsibilities in cybersecurity
Clearly defining roles and responsibilities in cybersecurity is crucial for a smooth and effective security program, especially when aiming for ISO 27001 certification.
Everyone in the organisation has a part to play, from the designated Chief Information Security Officer (CISO, I know, this may sound like overkill in smaller businesses, but… just select one) who oversees the entire program to every employee who is responsible for following security protocols like using strong passwords and reporting suspicious emails. This will ensure accountability, and dividing up the work is especially important for smaller teams.
Make the big software you already use do the heavy lifting of your data privacy and cybersecurity certification journey.
For example, you may have users on Microsoft Exchange plans who need to move to Business Premium, and Microsoft may require an organisational-level uplift. Similarly, visiting Google Business will achieve the same result. Reclaiming the software you use daily is a small investment compared to the cost of a cyber incident.
Take control of sign-in. A few quick but big steps in password management, MFA and SSO for cybersecurity:
a) 1Password
A massive win with a relatively small price to pay is getting 1Password for the team. This software not only allows you to share passwords within your organisation but also with people outside of your organisation, securely. You set up vaults based on user types (for example, Developer Vault, Designer Vault, Client X Vault, Family Vault, and so on). It also audits all your existing password strengths, shows and encourages the set-up of MFA where it is available but not yet implemented.
b) MFA
Speaking of which, MFA remains a straightforward way of keeping yourself secure. Make it a policy, and switch it on for every product, app and website where a password is required. The most remarkable thing I found is how 1Password interacts with MFA and can act as an authenticator app.
c) SSO
Use your aforementioned “big software” (for example, Microsoft, Apple ID, Google) as an SSO source.
Once you get these basics in place, there are some more involved and possibly more costly actions you should consider:
For us, there are two professional outfits that have become essential (well, we sleep much better at night knowing we have them around):
- Our IT MSP – Origin 84 – This MSP specialises in people who work on Macs, so it is probably better suited to the creative and digital agency types like us. Where ISO makes recommendations, Origin84 actually help us implement some of the controls. We find their response times to be fast and their service to be of high quality.
- An ISO specialist consultant – ISO365 – They are a consultant who helped us implement our ISMS and put it into practice. We have regular meetings where they keep us honest and accountable on certain action items. We’re all very busy, so we need this level of rigour.
ISO 27001 certification isn’t just a badge of honour or a marketing tool (although that can be a rewarding benefit) — it validates your cybersecurity best practices and commitment to continuous improvement.
Certification means you have identified cybersecurity as valuable and essential, and you will now invest in and prioritise it. Our favourite part of the certification is the requirement for “continuous improvement”, which means you cannot rest on your laurels. Not only does the above process need to be rinsed and repeated, but it also needs to be checked for relevance and validity frequently. This is especially true for best-in-class changes, such as those in IT, tech, data, and cybersecurity. The processes are in place, and keeping up the momentum has become easier now that we have dedicated resources, roles and responsibilities to these efforts. The regular independent audits simply ensure our efforts are best-in-class and validated.
Because ISO 27001 certification is an ongoing process, we will be posting about it regularly and sharing some of our experiences with ISMS implementation, risk registers, and cybersecurity best practices. We hope you find this helpful.