Bear with me on this. I am going to toot the Hillard Heintze horn. But I also have a very positive message for anyone who may have a stake in ensuring that their information security is and remains a paramount priority.
Last week – after many months undergoing pre-assessment reviews, assessment preparation, and intensive assessment audit itself – we were notified that Hillard Heintze has earned ISO/IEC 27001:2013 information security certification as established by the International Organization for Standardization and the International Electrotechnical Commission and awarded by the BSI Group, the independent and accredited national standards body of the United Kingdom.
Lisa DuBrock, the managing partner of Radian Compliance, the company that audited us, put it this way: “According to the most recent ISO survey as of the end of 2015, only 1,247 companies in the USA had achieved ISO/IEC 27001:2013. Hillard Heintze, to our knowledge, is one of the first, if not the first, security professional services company to obtain this certification.”
That’s great news for us and for our clients – for several reasons.
Corporate Data is the Currency of Business
All organizations, to varying degrees, invest in data protection. They may call it information technology. Or cyber security. Or information security. Whatever they choose to name it, companies spend significant financial resources toward technology and services, often with minimal measurement of success. This makes it difficult for senior leaders to determine whether the investments made will mitigate the risks, threats and vulnerabilities associated with protecting private information.
The recent WannaCry ransomware attack, which surfaced on May 12 and, to date, has crippled an estimated 300,000 systems, is just one example of the hundreds of thousands of cyberattacks that occur every day and threaten company data. Organizations – and their clients – expect at least some base level of protection when it comes to their information. But the shifting landscape of cyber and insider threats requires continuous collaboration with peers and vendor partners, as well as vital expert insights, to mitigate these potentially devastating threats.
Protecting Our Data at Hillard Heintze
We invest extensively in technology and staff to protect our data. So a number of key questions are really important to us. Like these:
- Technology: Have we invested enough or even in the right technology?
- Controls: Do we have the proper procedures and controls in place to ensure our information is protected?
- Maturity: How do we measure up, in terms of information security, against some of the toughest and most sophisticated information security standards?
- Validation: Rather than self-assessing, how would our information security practices be viewed by truly objective, independent third-party information security auditors and examiners?
Setting Our Sights on Compliance with ISO/IEC 27001:2013
The International Organization for Standardization, or ISO, has developed a series of “world-class specifications for products, services and systems, to ensure quality, safety and efficiency.” One of the most crucial ISO standards, known as ISO/IEC 27001:2013, specifies the requirements for “establishing, implementing, maintaining and continually improving an information security management system within the context of the organization,” along with “requirements for the assessment and treatment of information security risks tailored to the needs of the organization.” In other words, this standard is designed to ensure the highest level of information security management integrity.
We had always been aware of this standard. Earlier this year, we set our sights on achieving it.
More Than a Decade of Investment in Information Security
Since Hillard Heintze’s inception in 2004, we have focused acutely on building our ISMS program. I don’t want to go into detail here, but over the last few years, our proactive approach to information security has helped us prevent or avoid a number of very high-profile information security events – including WannaCry and much more serious ones, for that matter, that proved highly destructive to many other organizations. That track record of success has validated our investments in this critical area and further encouraged us to improve our protections. In 2012, for example, the firm began measuring its information security activities against the ISO27001:2005 standard and achieved compliance with the standard. But as information practices change, so have the standards. So we have kept raising our sights.
Pick the Right Partner: They May be Crucial to Your Certification
Perhaps my strongest recommendation for any firm seeking the same results we achieved with respect to ISO/IEC 27001:2013 or any other compliance or certification initiative is make sure you pick the right partner. Before we launched ourselves into this initiative, we did our homework in this regard and selected a very well respected firm: Radian Compliance. Their partnership and guidance proved tremendously important as they have walked this certification path over and over with many other organizations and were exceptionally adept at pointing out potential gaps and weaknesses and pointing our efforts in the right direction.
We are delighted to have received our certification. I should note that this standard was extensively revised in 2013 to bring even more rigor to the requirements, so we are doubly pleased with the news.
Of course, there is much work ahead. Unlike other types of certifications, this is not a “snapshot in time”; instead, it’s a commitment to continue to advance information security quality, reliability and continual improvement. Our celebration window is short. It’s time to jump back into improving our processes as well as preparing for recertification next year.
Feel free to contact me if you are pursuing an ISO certification of your own or if you are interested in improving the level of info security for your systems. I’d be more than happy to give you some insights into our process. I can be reached at firstname.lastname@example.org or at 312.229.9815.