A discussion with our COO, Shefaly Yogendra PhD, and Ian Armitage, Head of Software and Development.
Governments, businesses and private citizens alike are concerned today about how we capture and store our data, images and online credentials, and do so securely.
At Ditto AI, we have spent the last 18 months working to develop more rigorous systems and processes to ensure the highest levels of information security and to become ISO27001 accredited.
What is ISO27001?
ISO27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information security risk management processes.
Why we started this security journey
As our business matures, we wanted to ensure there is a strong foundation for expansion and growth, and that information security is at the heart of that.
We had several reasons for wanting to ensure greater information security.
A long-standing client of ours is an ISO27001 accredited organisation, which lead them to host their own instance of our platform. Going forward, we wanted to deliver our technology using a SAAS model so by achieving ISO27001 certification, we are now able to deliver services to our client using our cloud hosted solution. It’s a win/win for everyone.
Opportunities to scale
ISO270001 makes us more secure and will help us grow our technical capabilities. Now, we get to move away from ‘start-up’ to ‘scale-up’, becoming a credible and established business. As part of the accreditation process, we’ve put policies and procedures in place that will enable future scale and growth.
Being a responsible business
ISO27001 accreditation is about all information security. Clients tell us a lot about their business, so how we record this information is vital and keeping it secure offers an important level of assurance to them.
How do you become certified?
Getting ISO270001 accreditation wasn’t an easy feat and we couldn’t do it alone. So, we worked with an external consultant, WADIFF, a consultancy offering support to organisations who want to improve their information and cyber security. They guided us through the steps and helped us identify our strategy and action plan for achieving ISO27001.
At stage one, it’s all about assessing where you are and creating a plan to move forward with. It’s about taking stock of what you do and don’t have and understanding where you need to improve. This stage requires a lot of openness, honesty and perseverance.
There were several ‘big things’ that formed a huge part of the audit. They were areas that we had to excel at to move forward with the project. These ‘big things’ included:
- Implement access controls. This needed us to think about which employees had access to what information and validate that their access was relevant.
- Knowing what information needs protecting and from whom.
- Making sure we’ve got acceptable use policies for all our systems.
- BYOD policies for anyone using their own equipment whilst accessing company data.
- Undertaking a supplier evaluation (particularly of our technical services)
- Having a disaster recovery process.
ISO27001 uses a top-down, risk-based approach and is technology-neutral. The specification defines a six-part planning process:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation and committed support at board level.
During our internal audit process, we took a snapshot of our information security process, which enabled us to form the basis of an information security management system. Not only does this cover information security and digital security, it covers physical security too, like hardware and office space.
How long does it take?
Our ISO27001 accreditation journey began in August 2018, and we achieved it in March 2019. Now that we are accredited, we have to go through an annual maintenance audit. However, we intend to run internal audits every two months. We’ve also put in monthly checks for systems that we use daily and weekly.
Further we’ve implemented an incident reporting system as a result of the ISO27001 project. If someone tries to access the office who shouldn’t, or if someone loses their device, it’s documented. During these situations, we assess how we react, how we record it, and what we can improve to keep our systems secure.
We also undertook business-wide training of our staff, our senior leadership team and our board to ensure nobody inadvertently became the weak link in the information security chain.
Ian Armitage, head of software and development, is an experienced tech leader and there are some things he can do himself. But, his 'internal knowledge' isn’t scalable without the right processes in place. ISO27001 has helped us to focus on documenting personal knowledge and experience. This was a challenge that we were already aware of, but now we have prioritised within the project. We create formal processes around everyday tasks and specialist knowledge so no vital information is siloed.
The three core principles of the ISO 27001 standard are:
With these core principles in mind, and with our ISO270001 accreditation, we can confidently innovate, learn and grow as a business.
Company adoption and culture
Everyone at Ditto has warmly welcomed the ISO270001 accreditation. Throughout the auditing process, we’ve communicated internally to keep everyone up to date and involved in how the company has changed as a result. We’ve taken a pragmatic approach with this accreditation as we couldn’t let it affect productivity or agility. What we’ve put in place mirrors the culture of the business. It does exactly what it needs to do, but it doesn’t restrict us as an organisation.
Our approach to transparent, connected work means that everyone has access to the resources they need, all of the time. This accessibility poses a threat to the business with regards to building security, information security and open access. But our connectivity is what makes Ditto a strong, living, breathing organism that works together as one to achieve some extraordinary things. Our ISO27001 accreditation is one example of that effort.