In today's digitally-driven landscape, safeguarding sensitive information is paramount for businesses of all sizes. Achieving ISO 27001 certification stands as a testament to an organisation's commitment to robust information security management systems (ISMS). It's not merely a badge of honour but a strategic decision that instils trust among stakeholders, enhances operational resilience, and fortifies against evolving cyber threats. As we delve into the journey towards ISO 27001 certification, we uncover the transformative steps Gather undertook to fortify their data defences and navigate the intricate terrain of modern cyber security standards.

ISO 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS), within the context of the organisation.

It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.

ISO 27001 ensures that cyber security is implemented and maintained so that both our data and our client's data are kept confidential.

It does so with the ISMS - a framework that allows for constant review and resultant improvement but is flexible to the business needs by providing:

• Improved data security
• Mitigation of breaches by addressing risk
• Continuous improvement with PDCA
• Credibility

It’s a five-step process to become certified and an integral part of an ISO certified management system is that there must be continuous improvement.

1. Gap analysis
2.  Manual of Operation
3. Staff Training
4. Internal audit
5. External audit

 When you finish painting the Forth Bridge you start again at the beginning!

We started out by documenting our best practices and daily operating procedures, describing what and how we do things.

For example, we need to explain that we make a cup of tea because we're thirsty and because we like it…

Our policies and procedures need to support the standard stipulated by ISO 27001. There was a need for us to subtly tweak the way we work to do so. However, the standard is not meant to be restrictive. It is a flexible framework that ultimately should fit our business.

With a management system defined, awareness training around the system took place, which effectively emphasised why we are taking the sanctity of our own and our customer's data seriously.

At this point, we needed to be happy that our system and its controls work as we expected by doing some internal audits, following the next step, which is the scary bit, where we’re audited by an external auditor!

All’s well that starts well, and whilst ISO is iterative and the continuous improvement process of  'plan do check act', now just keeps rolling. The really exciting bit is we have received a lush certificate for the wall!