Following a conversation with our CTO Simon, we knew that we already had a lot in place for ISO 27001 and Cyber Essentials for Amido, we just needed someone to bring it all together and drive us through the audit. That someone was me.
What I didn't realise at the time was that I would need to draw on my years of experience to assimilate more than just the words on the page. It turns out it's not the wording of the two standards that differ from my experience; but also a new vocabulary, a new way to explain the technology, and why standards bodies created these standards.
I'm not entirely new to auditing as I have consulted within the insurance and financial services sectors for several years. However, particularly in financial services governance, risk management and compliance activities are critical elements in protecting the business and public interest.
Historically, I had someone working with me during audits helping me frame the conversation in the right way and keep the conversation on track. However, as I found out without a minder, it was pretty easy to throw auditors off by answering the question in overly technical terms. Whereas what I should be doing is focusing on the conversation. We found this particularly hard as we use many best-of-breed controls implemented by Microsoft 365 and Azure Active Directory, so our security posture is inherently technical. Therefore, to be effective, I need to understand the thinking behind the implementation and then explain how it meets the outcomes of the standards.
It helps to understand these two standards, how they are similar and how they are different:
Furthermore, ISO 27001 is typically focused on larger organisations, whereas NCSC designed Cyber Essentials to cover the whole gamut of organisations between the one-person band to the multi-national organisation.
Going into an audit, you need to understand the context of why you want to attain and maintain certification. It's pretty standard for organisations to seek a badge. However, this is a fundamentally flawed approach.
When a company chases a badge, they can only expect to get a partial benefit from the standard. Companies will undoubtedly learn from the experience. However, it's unlikely to be embedded in the organisation, resulting in a short-lived value.
Amido didn't want to pursue a badge; the certification is an emergent property of adequate cybersecurity protection. As such, when we set out to achieve ISO 27001 and Cyber Essentials, we aimed to:
For Amido having a solid cybersecurity posture enables us to bid for new contracts with confidence that we exceed our client's expectations.
As a learning organisation, passing or failing is secondary to learning from the experience. Here is what we discovered through the process:
Everything is a process; 2021 marks the second year of Cyber Essentials for Amido and the first year of ISO 27001. We will recertify every year, and between audits, we will continue to use cloud-native technology services to automate and drive out efficiency, growth and innovation.