In February 2020, Ballard Chalmers achieved certification for ISO 27001:2013. This blog gives some insight into what this means for the company and what was involved in achieving it.
What is ISO 27001:2013?
ISO 27001:2013 is the ISO standard for Information Security. It covers establishing, executing, upholding and constantly refining an Information Security Management System (ISMS) for an organisation, and the evaluation and management of information security risks.
ISO 27001 is the gold standard for Information Security and is recognised worldwide. This has become increasingly evident, because whenever Ballard Chalmers starts to do business with a new client, there is frequently an Information Security Questionnaire that needs to be completed, and usually one of the first questions on the list is “Are you certified for ISO 27001?”. This is then followed by a whole range of security questions almost all of which have been derived from ISO 27001 to some degree or other. So, ISO 27001 is increasingly becoming an important part of doing business, let alone ensuring that the organisation is secure.
Notwithstanding that, security is extremely important for Ballard Chalmers because we are a software development company and we design, implement, support and manage software systems for our clients. Almost all of these systems are deployed to the cloud and ensuring that these systems are secure is extremely important. Although it is no less important for systems that we develop for deployment on-premises in private data centres.
As well as the systems development, ISO 27001 covers Ballard Chalmers as a whole, including its IT infrastructure and business processes.
What did Adopting ISO 27001 Mean for Ballard Chalmers?
As Ballard Chalmers CTO, I felt that our security was already in good shape, and to some extent, it was.
We already had the following security measures in place:
- Strong password enforcement and Multi-Factor access to Azure and Office 365 cloud.
- Permissions on all resources in Azure set so that development teams only have access to resources for the projects they are working on.
- All documents stored in permissioned-repositories in SharePoint and One Drive in Office365, source code managed through GIT and TFS Repositories in Azure DevOps or other cloud systems, such as CRM.
- All sensitive connectivity data stored in permissioned-Key Vaults.
- IP address restricted access to all Development and Test Servers in the cloud.
- Synchronisation between our on-premises Active Directory domain controllers and those in the Azure Cloud.
- Backups of critical data in the cloud, stored on a server and USB drives in the office and off-site locations.
- A written Information Security policy, together with a number of secondary policies such as a BYOD (Bring Your Own Device) policy.
- Existing GDPR policies that classified and managed access to all data repositories that contain personal data.
- No client data, stored in the office on servers and laptops, other than for transient use.
- Software development processes following Security by Design processing defined by the OWASP standards.
How did the ISO certification process affect the way we do things?
- The ISO certification process starts with an audit which looks at current security, security objectives, monitoring and management.
- Some key management documents are created for managing security, including:
- Asset Register: To detail everything from data repositories in the cloud, to operational systems, USB drives, mobile phones, laptops servers, the office and people. With details on how these are secured, managed and the associated risks and actions.
- Security Objectives: Detailing the organisation’s security objectives, and how to monitor them.
- Approved software register and audits.
- Change Control Logs: For everything that can affect security.
- New Policies and Procedures were created or enhanced including:
- Policies for password management, teleworking, anti-virus, patching, email & acceptable usage, social networking, information classification, remote access & mobile computing, security incident reporting etc.
- Procedures for periodic audits of security compliance and teleworking, screen locks and anti-virus checks etc.
- Staff Training:
- Regular staff awareness training and briefings.
- Audits and associated logs:
- To regularly check that policies such as teleworking and anti-virus are being complied with.
- There were some physical changes to the office including:
- Improved keypads for entry to the office.
- Encrypting the hard drives of all laptops and servers in the office.
- Replacing the on-premises backups, and USB drives, with cloud backups in a different geo-location to the source data.
- Replacing all local USBs with bio-encrypted USB drives.
Interestingly, the process has not made any major changes to the way we manage client data and software development in the cloud.
But it has made a number of improvements to the way we manage data in the office, pretty much resulting in the data being moved out of the office to secure cloud data centres, or having it encrypted. And protection against data loss if the office is compromised by fire, flood or theft.
The biggest change is in the way we view and manage all aspects of security in our organisation by continually:
- Auditing and logging the procedures and policies to make sure they are being followed.
- Defining, managing and monitoring security objectives.
- Evaluating risk and making improvements where needed.
After all, ISO 27001 is a system to establish and constantly refine an Information Security Management System (ISMS) that applies a risk management process which addresses people, processes and IT systems.
By Geoff Ballard, Chief Technical Officer at Ballard Chalmers
About the author
Geoff Ballard is Co-Founder of Ballard Chalmers and the company’s CTO, directing technical strategy, overseeing technical consultants, managing larger development projects and ensuring technical delivery quality standards. Geoff has been an SQL Server consultant since the very first beta release by Microsoft. And is a trainer and author in Microsoft technology, including courses delivered throughout the world.