Following 18 months of dedicated time and investment, the Connexus Group have been able to achieve ISO 27001 accreditation, an Information Security Management System (ISMS) standard of particular relevance to the 7 companies that fall under Connexus.
We first speak with Ken.
1. As a Managing Director of a Group of 7 businesses, what motivated you to apply for ISO accreditation?
We trade in heavily regulated areas under several authorities, including the FCA and SRA, where the spotlight is very much on the control and protection of data.
ISO 27001 accreditation is an objective benchmark of our data management and business control that is universally recognised as a rigorous and thorough procedure in its requirements and respected industry-wide.
We act for many prestigious blue chip businesses who are aware of the emphasis we put on keeping their clients data and information confidential, but for potential new customers, ISO 27001 certification gives comfort early on that you are capable of the required standard.
We are a medium-sized group of six businesses with 230 staff, the process highlighted those areas where we were strong, and areas where we needed to improve.
As momentum built, we had buy-in from more sceptical staff who preferred “the old ways” and we had to knock a few heads together before all understood that we were serious about completing the process for all businesses in the Connexus Group.
We can all have moments of laxity in our business life and nobody is perfect, but failing to lock cabinets or password protect sensitive data is wholly unacceptable. These requirements take a little extra time and care but peace of mind is worth that extra time.
2. Was the process of obtaining ISO certification expensive and disruptive of your business?
You need to view ISO as a long-term benefit for your business; it does not qualify you to obtain new business but will avoid disqualifying you from the opportunities.
For those who want a “quick fix” ISO is not for you. It took over 12 months in our case to get all seven businesses certified and when we added it all up, a significant sum in investment of funds and time but we genuinely believe it has made our business stronger and more resilient.
3. Is there a strong business case for ISO and would you do it now if you knew what was involved.
For our business ISO is part of a packet of measures we are taking to improve as a business.
We are focused on building the skill sets of our staff, cutting out manual processes when they can be automated, better use of IT and software, and improving the customer journey of our introducers and our clients.
In a very competitive environment communication is key but benchmarking your ability by objective measures or recommendation are the most powerful messages a business can give, and as part of that coordinated approach ISO certification is definitely worthwhile.
We now speak to Kerry for her take on the process.
1.What was the motivation behind becoming ISO accredited?
The Connexus Group operate in a heavily regulated industry, working to a myriad of guidelines to ensure transparency and high standards. The group are committed to using best practice, pushing the boundaries for continuous improvement and strengthening our internal practices and processes through ongoing training and development as well as investing in technology and adapting to new, smarted ways of working. Becoming ISO accredited officially solidifies this approach in a way that can be trusted and justified.
We were already closely looking at our processes and how we handle information and sensitive data. As we are regularly audited, it is particularly important to internally review and critique ourselves. We review what infrastructure and framework we have in place to underpin the stability of information and data, querying if there is more that we can do!
Many of our senior management team were already aware of ISO accreditation (International Organisation for Standardisation), through former roles and business partners. As a management team, we decided to explore these standards and consider attaining one we felt was most appropriate for the Connexus Group as a whole.
With the help of our consultant Oliver Shaw of Standards Plus, we chose ISO 27001, which is an Information Security Management System (ISMS) standard. This standard ensures there are effective controls and policies in place for the security of data and information, highlighting opportunities for improvement and implementing new controls where necessary.
2.What was involved in the process?
Approximately 18 months ago, around September 2017, the decision was made to start work on attaining the Information Security Standard across the 7 business which make up the Connexus Group. We wanted to ensure that the data we collect and maintain is heavily guarded.
At the start of our journey, we set a timeline of approximately 12 months to achieve the standard. We were conscious that this wasn’t going to be a quick win and wanted to heavily scrutinise our processes against the standard. We had in excess of 230 employees to mentor and coach on the standard and review each business area in isolation. We then formed the ISO Lead Team which consisted of:
- Ken Specter, Managing Director
- Emma Parkinson, Senior Partner
- Mark Reddy, Group IT Director
- Kerry Nelson, Group HR Advisor
- Elaine Ward, Group Compliance Manager
We looked at how the data is generated, where it was going to, how it was sent, access rights… you name it and we reviewed it. It wasn’t just the data we were reviewing, we were looking at other risks to the information we hold, building security, fire controls, hazards that could impede our work, flood, electrical issues, major disaster, sabotage and more. We then measured this against the standards expected, highlighting what, where and when changes needed to take place.
We quickly realised that given the size and nature of our group businesses our initial target of 12 months might not be achievable, but we were underway and project ISO 27001 was on!
3.What do you feel were the major challenges faced?
Some of the major challenges we faced were getting our head around Annex A, as well as the Statement of Applicability. The days were long, sometimes exhausting, slowly combing through each individual practice and process, speaking to team managers, employees our business partners, suppliers, visitors!
We were conscious that the ISO 27001 standard would generate kudos, however, we also had to balance this massive task with the day to day business needs, ensuring we were still meeting our business partner’s expectations and delivering a high level of service. We were asking for a lot of time from our managers and employees. As with any company delivering change, this can be difficult and met with some resistance. We needed to focus on ensuring all our employees were committed and could understand the value of having this credential!
4.How do you feel the businesses faired throughout becoming accredited?
I believe the businesses faired extremely well. Our employees asked questions, engaged in meetings and training sessions and there was a real sense of working together. With our offices spread across 5 locations, working on the ISO 27001 standard gave a sense of involvement for all. Our internal auditors visited other sites that they may not have had the opportunity to see previously. We developed a suggestion scheme, which allowed employees to put forward ideas that they may not have felt comfortable doing previously.
The first 3 months was slow getting things off the ground but there was a steady shift, with those that perhaps weren’t up for change initially, got on board and were endorsing the project. During the assessment days, all our employees were keen to know ‘how are we doing’? As a business, we are audited regularly, but this felt more personal. This was a real group effort on embracing change, improving and working towards higher standards.
5.How will Connexus Group businesses maintain their ISO accreditation?
Our accreditation will be maintained through consistent review, challenge and change whilst always working towards the standard. Our dedicated ISO Team already have plans for the future, with over 18 months experience and knowledge of the standard in tow. We have regular audits and will continue to strive to improve. We have seen the benefit already of having an ISMS, it showed us gaps in our processes that we hadn’t thought of. We want the standard at the core of what we do, the integrity and security of information is of paramount importance to us and it sets us apart from our competitors.