ISO 27001: Compliance Without Hindering Company Culture or Growth

What Is ISO 27001?

Organisations from different industries including media, tech, finance, healthcare and governments, are now insisting that their suppliers demonstrate the ability to manage data security in accordance with ISO 27001. The standard is built around implementing an Information Security Management System (ISMS), an extensive set of policies and procedures for managing sensitive data.

For us though, pursuing the certification was about much more than just a piece of paper. We wanted to go further and embed real security and risk management across the business. We designed our ISMS specifically to meet the needs of a fast-paced and growing company like LDS, with ever-competing priorities.

Our objectives were:

- To embed data security within our company culture so it became ubiquitous throughout global operations, supporting business growth without hindering our teams day to day

- Increasing our credibility with new and existing clients

- Improving our position on information security risk by establishing a robust risk management framework

- To decrease the likelihood of data security breaches by strengthening the processes within our ecosystem

Why Data Security Matters

Businesses can be caught out in several ways by not placing enough emphasis on mitigating cyber security risk. In the UK, for serious breaches of GDPR the Information Commissioner’s Office can issue fines of up to £17.5m, or 4% of annual worldwide turnover, whichever is higher. In the US in 2021, video conferencing service Zoom became the subject of four class-action lawsuits and was forced to pay an $85m settlement for alleged violation of the Californian regulatory mandate, CCPA.

Recent high-profile ransomware attacks have targeted British institutions like the NHS and Royal Mail, which have taken months to remediate. On top of these fines, businesses falling victim to cyber-crime can be crippled by the enormous fees associated with hiring digital forensics experts who specialise in recovering lost data. In some cases, critical information can never be recovered and businesses have to close doors.

Preparing Little Dot Studios for ISO 27001 meant that we needed fully documented disaster recovery plans that were tested regularly and kept up to date on a defined schedule.

Preparing for Audit

Alongside a thorough review of internal documentation, ISO 27001 audits involve interviews with key individuals from operational and commercial teams across the business. To prepare for this we set up a cohort of security champions from different teams and verticals who played a crucial role in driving greater security awareness throughout Little Dot Studios. All staff then contributed to our compliance journey by attending workshops, documenting workflows and reviewing key policies.

Establishing a strong security culture across a growing business can be challenging. Training was key, and company-wide sessions held for new and existing staff meant everyone was thoroughly upskilled on the importance of data security. By working alongside commercial teams we built the awareness that ISO 27001 compliance offers us a competitive advantage, as well as protecting our clients’ data. This was a team effort; cross-functional collaboration at its best. By leveraging our company values like being ‘collaborative partners’ and ‘radiating expertise’, we were able to sustainably integrate data security into everyday workflows without compromising on culture or ability to scale.

During the implementation phase we agreed on a continuous improvement cycle, centralising our view of security risks and allowing us to build an actionable roadmap. We used the ‘Plan-Do-Check-Act’ framework for operational excellence:

- Plan: identify risk and capture anything that could affect the confidentiality, integrity or availability of our data

- Do: put controls in place

- Check: audit how we’ve don

- Act: improve any inefficient controls