Peak achieves ISO 27001 certificationBy Peak on February 1, 2021
Peak has recently achieved ISO 27001 certification, which is great news for us and our customers.
You may not be familiar with the standard and what it means, so we spoke with David Leitch, our CIO, to understand more about Peak’s journey to achieving this important certification…
For those unaware, what is ISO 27001 certification?
ISO 27001 is an internationally-recognized standard for managing information security. It centers around ensuring the confidentiality, integrity, and availability of information, and provides a set of controls that can be applied in order to ensure information assets – including customer data – are protected at all times. The focus is wider than just technical controls, though, and includes all policies, processes, procedures, and tools in relation to how information is processed.
Fun fact: ISO is actually derived from the greek word ‘isos,’ meaning equal, rather than being an acronym. There are a number of other ISO standards covering different areas of quality and compliance for organizations.
Why is it important for Peak to be ISO 27001-certified?
The protection of our customers’ data is our number one priority. We are trusted to process information, and certifications like ISO 27001 provide assurance that we take information security very seriously.
We have designed all of our products and processes with security at their core, but going through the certification process for ISO 27001 has given us the validation and confidence that we are compliant with internationally-recognized standards.
ISO 27001 certification will also help us on our scale journey, as it’s an important prerequisite for some businesses as part of procurement and onboarding processes.
What did Peak have to do/demonstrate to achieve this?
This was a genuine team effort, and involved everyone in the entire business! We initially completed a full review of our processes, procedures, and policies against the requirements of the standard, to understand any areas we needed to strengthen during the preparation process.
It was then a case of building an Information Security Management System (ISMS) for Peak – putting in place the right mechanisms to ensure we continually review and improve our information security. Our approach was to identify all of the things we wanted to protect (information assets), identify risks around these, and then apply controls from the ISO 27001 standard to mitigate these risks. Once we had completed this exercise, we commenced the two-stage certification process.
The first stage was a document review, which involved an external auditor reviewing all of our processes, policies, and procedures to confirm they were fit for purpose. This was then followed by a more in-depth stage two audit, where an auditor spent five days with us to review our compliance with the standard – across all of our teams, and across all locations.
I’m very pleased to say that we got a great write-up, which is true testament to the continued hard work of the entire team at Peak, and their appreciation of the importance of information security across the board.
What does it mean for our customers? Are there any changes they need to be aware of?
There are no changes for our customers – other than further reassurance that their data is protected when working with Peak. We will be independently audited on an annual basis against the standard, and will also complete a programme of internal audits through the year to ensure we remain compliant.
In order to maintain certification, we need to be constantly evaluating our performance against our information security objectives, and continually making improvements to our systems, processes, tools, and products. We are also exploring other information security standards and accreditations, and are embarking on our SOC 2 audit process this year, in order to support our expansion in territories such as the United States.
Do you have any advice for other companies looking to gain ISO 27001 certification?
ISO 27001 is a big undertaking and shouldn’t be underestimated! Up to 114 controls may need to be applied, depending on your scope of certification, in addition to the core processes that need to be in place to meet the requirements of the standard. From start to finish, it took us around six months to achieve the certification – and that is considered relatively fast.
Making sure you keep people engaged throughout the process is key. We provided weekly updates to the whole company on the progress against our plan, and had champions from each team who were more deeply involved in getting us ready for certification. The standard does involve absolutely everyone in a business, and we held a number of education and training sessions about ISO 27001, and information security in general, throughout the process.
Ensuring that you’ve got good buy-in from your leadership team before starting is also essential. We had weekly catch-ups during the implementation phase, in order to make sure things were on track and we had enough resource allocated. Now, we also have monthly information security meetings where we review progress against the continued objectives that we set ourselves.