Read more on our journey to certification here: ISO27001 – We Are Now Certified!
Ciaran: Security Director
Achieving ISO 27001 certification for Macnamara has been my ambition since taking the Lead Auditor’s course in 2015. I wasn’t interested in becoming an auditor but thought learning it from that side of the table would be effective.
ISO 27001 focusses on information security and a useful side effect of that focus is hugely increased protection against online fraud and the huge array of other business threats that have been enabled by technology. And, of course, over the past ten years or so these business threats have risen close to the top of the agenda for many businesses. It remains surprising to me that our prospective clients rarely ask about our security. When you become an MSP client you are opening all your business information to the MSP’s team. We do emphasise security and see it, if not quite a USP as a serious differentiator with the competition. At the same time, it is usually only when a client’s insurer or an organisation the client wants to do business with, asks about MSP security that we get asked. With the ISO certification we are now able to answer these questions instantly and comprehensively.
So, why ISO 27001? It certainly wasn’t an easy journey. We got there following a path via other security certifications such as Cyber Essentials and IASME Cyber Assurance (Macnamara ICT Security Certification Wite Paper). ISO 27001 is the international gold standard when it comes to information security and for me, just as there is an inevitable path from your first 5k to a marathon, there was an irresistible impulse to go for the best as soon as we were ready. As a small company we were not able to use a dedicated security department, instead we had to build our own Security Management Team using what little spare capacity was available amongst our team. The approach we took involved everybody in the company with training and responsibility assigned covering areas such as physical security, risk management, business continuity and security incident management. The result of this approach is that we now have a team, making up the whole company, fully trained in the delivery of ISO 27001 certification with a security first mindset.
Best security practice has been woven into everything we do, and our clients benefit from the elimination of the separation between IT Support and Information Security. For us there is no significant difference. With our service and the quality of modern hardware and software, our clients no longer face a serious threat of business disruption due to IT failures. But all organisations face a greater than ever threat of criminal attack via technology, not to mention the regulatory risks. Macnamara’s status as an ISO 27001 certified business above all provides even more peace of mind to our clients.
Geoff: Operations, HR, IT, Third Party Management
We’ve always been bothered about security. It’s been an integral part of what we do and the service we offer ever since I joined the company back in 2008. Yes, of course the focus has shifted as the ever changing environment evolved from clunky and slow PCs, office servers and ADSL internet connections, to fast modern desktops and laptops, cloud computing services and ultra fast fibre connections. But it’s always been there. It just got better – and more necessary.
As early adopters of Cyber Essentials, we relished the chance to formalise the security offering and certify ourselves against the standard, and until CE came into play around 2015 there really was very little a small organisation like ours could reasonably hope to achieve by way for formal compliance. There just wasn’t anything out there, except ISO 27001 which was far too big a task at the time.
Fast forward a decade, and we’re now 9 years certified as Cyber Essentials, and several cycles through the accompanying IASME certifications up to Cyber Assurance Level 2, which was always designed as a simplified version of ISO 27001 that SME’s might have the resources to actually get.
When we started the process of going for the Gold Standard it looked complicated and difficult – and I can confirm my expectations were well founded! However, once you get started it really does start to fall into place. The vast majority of our policies and procedures were already there, sometimes written sometimes not, and they just needed codifying and in some cases, clarifying.
The hardest part of the process was probably document management – how to manage the large volume of logs, policies and procedures, version control, tracking what documents were ready for approval, which ones needed to be written, and then publishing once approved. The standard tells you what you need but you need to decide how you want to go about it in a way that best fits your business and your team.
I would certainly recommend any organisation that is interested in going for ISO 27001 involves as many people as they can from their team because not only does that share the burden, it shares the knowledge and the experience too. If everyone has input it’s much easier to get buy-in, because of course, this isn’t just a one-off achievement. You have keep at it and maintain the system once it’s in place.
Dayan: Internal Audit, Secure Development
I started our journey in ISO 27001 without knowing what to expect and it was a bit of a shock – no one really knows how much you actually do until you have to write it down. The road through to certification was filled with a lot of learning, documentation and teamwork, but it really showed me the different areas of the company and solidified our processes.
As the Internal Auditor I had exposure to all the different areas of the system and it really showcased the effort we as a team put into achieving this project. I also have the role of Secure Development which gave me the opportunity to formalise the company’s development practices.
Working now is much easier as I know everything we do, and how we do it is written down and can be referenced at any time.
Hubert: Business Continuity, Physical And Environmental Security
In our ISO 27001 certification, I was responsible for Business Continuity, and this experience has underscored me of the importance of identifying potential disruptions to our operations. Recognising these issues early has proven vital in mitigating risks. I’ve learned to develop effective solutions that minimise business impact, emphasising the value of a proactive approach.
Additionally, I’ve gained insight into how our decisions can affect the organisation, which helps me prioritise effectively. By testing real scenarios and evaluating our response procedures, I’ve recognised the need for continuous improvement. Overall, this role has sharpened my problem-solving skills and deepened my understanding of how important is to always have a plan for any eventual crisis.
My next responsibility was Backups, which taught me the importance of daily check-ins to quickly identify problems, including when they occurred and what went wrong. I also learned how critical testing is, as you never know when you might need a backup restored.
In my last role was overseeing Physical and Environmental Security, I was responsible for ensuring the safety of our premises and managing access control for staff, visitors, and external personnel. This included maintaining secure perimeters, ensuring proper fire safety protocols, and check health and safety procedures.
A key aspect of my work was regularly reviewing and verifying the documentation to ensure that all security measures and protocols were correctly implemented and up to standard.
Reflecting on this journey, I remember how challenging it was at the beginning to envision completing all the necessary controls. However, each month brought valuable learning opportunities, enhancing my understanding of our company and the critical role of teamwork. I realised how essential knowledge sharing during our weekly meetings was for our collective success. By the end of this experience, the tasks felt more manageable, and I had significantly increased my knowledge.
Ash: Risk Management, Incident Management, Network Security
As the person responsible for Risk Management, Incident management and Network Security for our ISO 27001 project I have found the whole experience challenging but incredibly rewarding and enlightening. Helping Macnamara become ISO 27001 compliant has deepened my understanding of information security and the way in which it should be handled.
Undertaking the responsibility of Risk Management was initially quite daunting due the magnitude of the task as risk forms the backbone of the system and relates to every other aspect of it, but as I have developed in my role these challenging aspects are what I have come to really enjoy about Risk Management. Being at the core of the system has given me a great overview and helped me gain a better understanding of each area of the information security management system.
I have found that the project has elevated not just my own, but everyone’s, knowledge considerably as working with my colleagues to achieve a consistent quality and approach has brought the whole team together under a clear security objective. The end result is a detailed system with well-defined policies and procedures that have helped to improve the way we work and the way we can support our clients.
Joe: Internal Audit
As a member of the Internal Audit team, we were tasked with conducting audits on our organisations controls and processes. It’s an important part of achieving ISO 27001, ensuring that we are compliant with ‘The Standard’.
Internal audits are the main checks and balance to confirm we are actually doing what we say we do and are within compliance.
Discovering non-compliance and improvement opportunities is the goal from an Internal Audit and feeding those back to the team so they can be remedied. It was great seeing the changes and improvements on a weekly basis to the system. It has encouraged a high level of collaboration and communication which has benefited us all.
You must be meticulous during an Audit ensuring no stone left unturned. It has taught me in great detail about Information Security and how to interpret complex controls and how they apply to an organisation. Looking forward we aim to improve the Internal Audit process where we can and continue to conduct audits to ensure that we remain compliant with the highest level of information security.
Overall, it was a challenging but very rewarding experience, especially when the External Audit found no faults! I’m looking forward to more audits in the coming year and honing my skills further.
Alicia: Document Management
I joined the company in the middle of the process as Technical Administrator, my main task was make myself familiar and I had a lot to catch up on!
The most important lesson for me is that you not only need to know and follow your policies and procedures but also enforce them and be able to demonstrate with evidence that you follow your procedures by logging what is required.
Getting any certificate is demanding, but it is what makes them worthy of having. I think now I’m in a better position to understand how each area of the certification interacts with each other (BCP, risk, audit, continual improvement….) and how they reflect on our daily tasks.