19 November 2018
Beyond Compliance: Glantus Achieves ISO 27001 Certification with Paula Nolan, Chief Compliance Officer
Beyond Compliance: achieving ISO 27001 certification has driven business growth at Glantus, says CCO Nolan
In a rapidly growing global company, working with customers such as major corporations and financial services providers, there is an inevitable demand to meet the highest expectations. As a business, Glantus was already certified to the ISO 9001 quality standard for several years. In 2018, with the onset of GDPR and our ISO 9001 accreditation due for renewal, we chose to embrace the ISO 27001 Security Standard.
Glantus is a globally unique data product, providing end-to-end data integration, automation, visualisation and analytics on one platform. As a company, we see ISO 27001 as a way of showing we conform to internationally recognised best-practice standards for managing and protecting that data. We knew the standard would give us the framework to comply with GDPR, which we identified as a business priority. When we first considered ISO 27001 certification in March of this year, it was a discussion at board level, our CEO was heavily involved from the start, and we knew it would involve every member of the Glantus team.
This was a much bigger project than ISO 9001 certification because it involved not just reviewing our own business and internal procedures, but also checking third-party suppliers.
Having a team working with you is much easier than trying to go it alone. We recruited an extra compliance resource for the business in addition to my own role. We also had some valuable assistance from an external specialist consultant to guide our work. We knew staff support at all levels would be critical to achieving and maintaining certification. You can try and bring in a bible of documents that dictate ‘read these rules and stick to them’, or you can sit down with your people and work through what compliance will mean for their roles.
It is easy to write a document and tick some boxes to claim: ‘everyone does this.’ In order to maintain certification, we will have to undergo audits at least once a year by a globally recognised accreditation body. When an auditor comes to the office and talks to people doing the work, it is about making sure they are trained, and they know what best-practice data management looks like.
We organised ‘lunch and learn’ sessions with groups of staff to discuss how we would tackle this together. Beyond gaining support for the initiative, it also meant we had commitment from our people to maintain audit-quality standards. Making sure they buy into the procedures, and that they contributed to them, gives them reason to work towards these goals.
Invariably, everybody in an organisation has a slightly different way of doing things. Introducing ISO 9001, and subsequently ISO 27001, has helped us streamline our business processes and improve efficiency across the entire organisation. We used our own GDPR compliance software to connect and control data, and we have passed this solution on to major corporate clients. One of the attractions of meeting an ISO standard is how it puts a priority on customer needs. Certification assures our customers and suppliers that we adhere to quality management principles, and that ultimately benefits them, too.
Normally, it takes around a year to achieve certification; we achieved it in six months. We could not have done this if we did not have the whole team behind us.
To anyone else thinking of achieving certification, I would advise them: it is a serious undertaking that involves documenting every business process - a literal mountain of paperwork. But there are many levels beneath the surface of having ISO 27001 certification. Knowing the depth of the work in advance is critical to avoid the risk of failure. It is definitely not something to undertake as a box-ticking exercise.
The work does not just stop once you achieve certification. We document every meeting and we record every process. We have internal auditors who check that we keep to the standard. This way, a strong culture of information security spreads throughout the business. We also set up internal Yammer groups to keep everyone informed of progress and discuss ways we can drive continuous improvement.
If you want to be the best in your field and execute against your strategy, you need to have all of the tools in order to do it. This certification is that tool and it is already proving useful; opening doors to the biggest corporations as well as to smaller enterprises. The benefits for Glantus have been both internal to us as an organisation, and external in terms of how customers that it will always deliver, that it keeps to best practices and that its people and culture are the best they can be, then business growth will follow.