Why and How Innoraft became an ISO 27001 certified organization
In simple terms, ISO 27001 is the most recognised international standard on information security. This certificate is issued by the International Organization for Standardization (ISO), in collaboration with the International Electrotechnical Commission (IEC).
The main purpose of ISO 27001 is to help organizations, of any size or any industry, protect their information systematically and cost-effectively by implementing an Information Security Management System (ISMS).
The major objectives of ISO 27001 are to safeguard three aspects of information:
- Confidentiality: Only authorized persons have the right to access information.
- Integrity: Only authorized persons can change the information.
- Availability: The information must be accessible to authorized persons whenever it is needed.
Why Innoraft pursued ISO 27001 certification?
We at Innoraft figure out that it is an utmost necessity to protect our most valuable internal data & information. Moreover, we found that having an ISO 27001 certification will eventually transpire the assurance to our customers and partners that their sensitive data and shared information are protected.
Apart from the above-stated reasons we understood that being certified will help us in the following ways:
Legal Compliance – The number of laws, regulations, and contractual requirements related to information security are increasing. By implementing ISO 27001 – will give us the required methodology to comply with most of those laws and regulations.
Competitive Advantage – We rightly assessed that if we implement the security parameters by acquiring the ISO 27001certification, it will eventually give us an advantage over our competitors who don’t have it yet in the eyes of those customers who are always sensitive about keeping their information safe.
Cost Saving – The prime objective of ISO 27001 is to prevent security incidents from happening – and every incident, large or small, involves monetary losses. Therefore, by preventing them, Innoraft will be able to save quite a lot of money and eventually considering the investments involved in acquiring the certification is much lesser considering the money we can save in future.
Better Process – Being a fast-growing organization, we don’t have the time to stop and define their processes and procedures to each employee – as a consequence, very often the employees do not know what needs to be done, when, and by whom. Implementation of ISO 27001 helps resolve such situations, because it encourages companies to write down their main processes (even those that are not security-related), enabling them to reduce lost time by their employees.
How did we manage to put the ISO 27001 feather on our crown?
To get certified, we had taken the following steps:
- Appointed an ISO 27001 consultant
It was important for us to take help from a knowledgeable consultant with proven experience in implementing an information security management system (ISMS), with a good understanding of the requirements for achieving ISO 27001 registration.
- Established a Management Framework
Under the management framework, we have listed all the processes which we need to follow to meet the ISO27001 implementation objectives. These processes include asserting accountability of the ISMS, a schedule of activities, and regular auditing to support a cycle of continuous improvement.
- Conduct a Risk Assessment
ISO 27001 requires the risk assessment as a formal process. This means that the process must be planned, and the data, analysis report, and results must be recorded. Before conducting a risk assessment, the baseline security criteria was established.
- Risk Mitigation
Once the relevant risks were identified, the task was to decide whether to treat, tolerate, terminate, or transfer these risks. We had documented all of the decisions regarding risk responses because the auditor requires these reports while reviewing during the registration (certification) audit. The Statement of Applicability (SoA) and risk treatment plan (RTP) are two mandatory reports which we had to submit as evidence of the risk assessment.
- Conduct Training
For our internal staffs, we had prepared special training modules and slots. We prepared mock examinations so that every employee of our organization get proper knowledge about the processes under ISO 27001.
- Review and update the required documentation
Documentation is required to support the necessary ISMS processes, policies, and procedures. The ISO 27001 consultant guided us with all the necessary documents required for this certification. We reviewed and verified all the documents before submission.
- Registration/certification audits
The auditor assessed if our documentation meets the requirements of the ISO 27001 Standard and pointed out some areas of nonconformity and potential improvement of the management system. Once the required changes have been made from our end, the auditor conducted another round of assessment to verify our compliance with the ISO 27001 standard.
Lastly, it takes much pride in informing that after some tedious documentation work, pre-process brain-storming, knowledge gaining, gap plugging, training programme management and most importantly great syndication among all the members of the team helped us to achieve the ISO 27001 certification.
What does it mean for Innoraft?
Becoming an ISO 9001certified organization was on Innoraft’s agenda for a long time. We were determined that if we are going to add this feather to our crown, we will get it done in the most authentic way and by implementing all the necessary procedures besides, qualifying each and every step. Our dreams just got bigger and we are now going to shoot for the stars.