smrtr is ISO 27001:2013 certified!

We’ve always held data management and security in the highest regard. From the very start we utilised the highest level of data transfer encryption and hybrid-cloud backend security. However, to further demonstrate our commitment to information security management, smrtr undertook a project to become ISO 27001:2013 certified through independent auditor PWC.

ISO 27001 is the Internationally recognised Information Security Management Standard (ISMS) which is designed to give an organisation a framework that protects information assets and ensures business continuity in a landscape filled with information security threats. It preserves the confidentiality, integrity and availability of information by applying risk management processes to manage threats adequately. 

Attaining certification is no small feat with many detailed steps, but the broad scope of the ISMS ensures that all aspects of smrtr’s information technology operations are considered to address information security risks – big and small.

Wondering how to become ISO 27001 certified? Over the better part of a year we:

• engaged an expert in ISO27001 to explain the ISO framework and advise on the systems and documentation required to gain certification
• further defined our information security management system and added greater granularity to our risk management framework, information security risk register and statement of applicability
• performed a gap analysis of our current information security systems
• developed a project plan to complete the required systems and policy documentation and a documentation framework for the required systems, registers and policies
• reviewed and improved our technology infrastructure to align with the ISO requirements including technical redundancy, controls monitoring, backup, business continuity and disaster recovery
• conducted additional 3rd party penetration testing of our infrastructure
• expanded our staff training framework to include ISMS requirements
• procured a Stage 1 audit conducted by PWC- passed, with zero non-conformances
• have maintained an evidence base to prove the system has been implemented and is in daily use
• completed monthly management reviews and system audits
• conducted a full internal audit through a 3rd party consultant ahead of Stage 2 Audit
• Successfully passed the Stage 2 audit conducted by PWC and were awarded full ISO 27001 certification

The fun doesn’t stop there though. ISO 27001 is a continuous process so we maintain an always on and continuous improvement approach to continue adhering to the certification requirements.

If you’d like to learn more about ISO 27001, please don’t hesitate to reach out. I’d be happy to share our learnings.

By Paul Henderson, Head of Operations at smrtr