Providing robust security for Maximo® users
The benefits of achieving the ISO27001 standard are well documented; achieving certification demonstrates that an organisation has defined and put in place best practice information security processes.
ISO/IEC 27001 is the international standard for information security, part of the ISO/IEC 27000 family of standards published in 2013. It is also the only auditable international standard that defines the requirements of an information security management system. However it is far more than simply a set of documented processes; it is about a company-wide ethos and engagement around information security at every level.
For those technology companies providing consultancy, software, hosting and support to clients, being able to demonstrate a long-term commitment to information security is essential. This was one of the reasons Peacock Engineering recently applied for the ISO27001, keen to provide the level of security its blue-chip client base demanded.
As an IBM business partner providing best in class asset management solutions through Maximo, Click Field Service Edge and Fingertip, becoming ISO27001 compliant was a natural step. As more and more companies using Maximo® are demanding a robust security approach from suppliers, it was something that Peacock Engineering had already started to embed.
Mike Knapp, Director at Peacock Engineering, led the project
“This was something we felt required clear leadership,” he explained. “Our clients receive a high level of professional delivery from our team, and we wanted to ensure that our ISO project complemented this. We were looking to formalise our approach and beliefs around the necessity for constant awareness around security risks, so that it was a natural part of our culture.
Because we provide load testing to clients, it was an area that we could thoroughly test. We would routinely help clients with load testing, soak testing, stress testing and shock testing. This means we regularly test our own systems to ensure they are resilient.”
Benefits of ISO27001
To ensure that the project would gain traction and be recognised as important by the whole team, a steering group was established which was responsible for producing, controlling and managing information so that the ISO27001 requirements were understood. The group also identified both the risks & implications for discrete functions within the organisation whilst acting as communication ambassadors to the team.
The company supported this with group-wide sessions to introduce the concept, give updates and to share teams’ progress, as well as specific one-to-one meetings for people managers. This roll-out of information was supported by the company’s HR system, so that individuals could easily identify and understand their role in creating an ISO27001 compliant organisation.
By having a structured approach to risk identification, and reviewing implications across the whole organisation (from database development and infrastructure through to mobile solutions and hosting), the controls required to limit any potential damage to either Peacock Engineering or any of its clients were identified and put in place. The increasing rise of cyberattacks that overload a system meant that particular attention was paid to this area.
This ISO project adopted a ‘getting it right first time’ ethos – an approach used with all Peacock Engineering’s clients’ projects. It meant that the company were able to gain their ISO27001 certification within nine months.
Benefits for clients
Having the ISO27001 certification brought additional benefits for Peacock Engineering’s clients.
One of the key benefits of ISO27001 accreditation is the attainment of customer confidence; when clients are selecting an IBM business partner for their Maximo® projects, the ISO 27001 provides a demonstrable commitment to information security. This is particularly true for those organisations who are looking at a SaaS model or hosted solution, where reliability and accessibility of data is paramount.
Another benefit was reputation protection. The headlines around data breaches cause negative publicity and real reputational damage to a brand. In addition, the fines imposed by the Information Commissioner’s Office for Data Protection Act (DPA) breaches can be substantial, with General Data Protection Regulation (GDPR) fines of up to €10 million or 2% of total global turnover for the previous fiscal year.
While DPA and GDPR are not auditable, having an ISO27001 certified Maximo® partner demonstrates they are mitigating risks on behalf of clients through robust information security.
The ISO27001 certification is not a one-off event, it is about an ongoing approach giving clients confidence around day-to-day processes and procedures. By selecting a certified partner, they know the IT systems will be kept up to date and that security is paramount, whether it is anti-virus protection, protection against cyber attacks or mitigating data breaches.
The time and resources required to become ISO27001 compliant are not insignificant, however the value and benefits they bring both to the organisation and its customers far outweigh the initial investment. It proves to stakeholders a commitment to demonstrating best practice information security processes.