WHAT IS ISO 27001?
The International Organization for Standardization sets the standards known as ISO 27001. This international standard for information security outlines how a company should deal with people, information and technology, and provides controls that help organisations to “establish, implement, monitor, review, continually improve an Information Security Management System (ISMS)”.
ISO 27001 is globally recognised; certified companies have been assessed to have an ISMS aligned with information security best practices.
WHAT DOES IT MEAN FOR OUR CLIENTS?
Having ISO 27001 certification means anyone who partners with us can have complete confidence in our data handling practices: looking after not only yours, but your audience information, too. Many of the companies that choose to work with us are compliant to the same standards.
Certification isn’t just a one-off thing, either. We are regularly audited to make sure that our high standards are maintained – challenging us to raise the bar when possible to improve further.
ISO 27001 certification also means we have the processes in place to resolve and recover quickly in the highly unlikely event that something goes wrong.
We proudly announce our certification on our website so everyone is aware that Vixen Labs is a team that takes information security seriously.
WHAT DOES IT MEAN FOR VIXEN LABS?
After six months of hard work by many members of the team, we now have in place a complete set of rigorous policies, procedures, and logs. These are continuously monitored and updated through a series of internal and external audits, making sure that we always remain compliant with the highest ISO 27001 standards.
So what did that process look like? Well, over the six-month period, we:
- Implemented and updated nine policies
- Put in place 15 plans and procedures
- Filled out 18 registers
- Created seven logs
- Planned 25 audits
- Checked off all 114 standards
- Undertook a whole staff training session
This sounds like a lot, but the tools we already had in place made the mammoth task feel achievable.
Many of the certification requirements are slotted neatly into our existing systems. We used Notion to catalogue documents in ways that are easily accessible to the whole internal team. And our task management system, Asana, broke down each requirement into bite-sized pieces. Plus, we have set up Audit plans as recurring tickets on Asana, meaning they are automatically front-of-mind when we need them to be.
Rich Merrett and James Docherty – who worked together on the vast majority of the work required for certification – delivered our internal training with flair, keeping everyone engaged throughout.
The real test, of course, was the external audit for certification. To our delight (though not to our surprise) the processes we implemented were assessed as having no major or minor non-conformities, and no areas for improvement. This result was a real testament to the hard work and dedication of everyone involved and, of course, to how seriously we take these critical processes.
HOW DOES IT AFFECT DAILY LIFE AT VIXEN LABS?
If we’re honest, not a huge amount has changed in the day-to-day running of the business. Information security was important to us long before certification, especially given the popular criticism of the voice technology industry as not respecting peoples’ data. We have noticed a new sense of confidence when discussing complex security protocols both internally and with clients.
We run regular Business Continuity tests to ensure that in the event of an emergency we could continue to run the business as usual. There are a few more steps when new members of staff join the team to ensure they understand ISO 27001 practices.
The biggest change is the internal audits. To ensure that we maintain our standards, we complete 24 internal audits each year. These are carried out by different members of the team to make sure that no one is ‘marking their own homework’.
ISO certification is an important part of any company’s information security journey. Our accreditation means that everyone we work with – from our internal team to clients and collaboration partners – all know that we have the best systems in place to protect them and their data.
