The ISO 27001 Certification Journey

The ISO 27001 Certification Journey

The evolution of technology has undeniably changed the way that schools function, with Edtech becoming more intricately entwined throughout all operations as time goes on.

But whilst schools now consider their systems and hardware as critical to their day-to-day functions, these advancements have also introduced a variety of security concerns and risks that were unheard of not that long ago.

When assessing these threats, each school must look internally at their own activities, and externally to their vendors, to ensure that they are also doing their due diligence in protecting the school's interests.

For TASS, the recent ISO 27001 certification made the company consider the way it handles risk from the ground up. In this article Sam Fisher, Chief Technology Officer and Information Security Leader at TASS, shares the company’s journey and explains why every school and business should be aware of information security risks and how to mitigate them.

What is ISO 27001 and why get certified? 

ISO 27001 is the global standard for Information Security Management Systems, but it's not a prescriptive list of instructions or commands.

The approach acknowledges that each business is different and therefore targets the risks and threats that are actually relevant to each organisation, rather than solving problems they don’t or won’t have.

Once risks have been identified and controls put in place, this creates a closed-loop of feedback and compliance, ensuring organisations are managing risks to the same standard that can be proactively monitored and tracked.

Sam explains TASS’ reasons for pursuing ISO 27001 certification:

“Schools expect us to handle their sensitive data as securely as possible, and in turn each school has stakeholders that also expect the same.

Though we've always been big on information security, and spoken about it several times, it's nice to prove that we're not just saying this - we've been externally audited and deemed compliant to a globally recognised standard.”

What kind of changes or adjustments were needed? 

Sam acknowledges that one of the biggest adjustments that came out of the certification process was improving discussion around the scale, impact and associated risks of any changes.

“As an IT person, it's tempting to jump straight into ITSM (IT Service Management)” Sam shares.

“But information security is much broader than that. People generally are the biggest weak link - clicking on suspicious links in emails or forgetting to follow rules can have severe consequences, and things like locked doors and clean desk policies, though non-technical, also play an important part in reducing risk”.  

The future and advice for schools

“Now that we're certified, our job is to make sure that we're proactive in identifying and mitigating risks as a team.

We'll continue to track and maintain a register for known risks, with the management team meeting regularly to review these and ensure we're all up to speed”.

Becoming compliant against a standard like ISO27001 is a big investment and a long-term commitment, but even if you don't choose to get certified, the standard (or any security standard) can give you a place to start and is a great way to discover blind spots.

It's also good to get into that mindset of continual review and improvement - risks evolve, and you need to make sure that you're thinking about this consistently and not becoming complacent until you have a problem.