How Autotech Group Drives Continuous Information Security Improvement with ISO 27001

“The certification is a byproduct of the journey – we’ve done this to improve ourselves as a business and improve our approach to information security management, end user training and processes.”

Jack Salsbury Head of IT and Information Security, Autotech Group

Key Takeaways

Learn how Autotech Group:

• Achieved ISO 27001 certification in 11 months
• Used the IO platform to streamline ISMS implementation
• Leveraged SGG’s ISO 27001 expertise to support success
• Embedded information security best practices for continuous improvement.

About Autotech Group

Autotech Group, an automotive and mobility sector specialist, consists of four brands: Autotech Recruit, Autotech Training, Autotech Academy and Autotech Connect.

The business is an award-winning specialist consultancy driving innovation across the automotive and wider mobility sectors. Through bespoke solutions built around the business’s three core areas of expertise – people, skills, and technology – they’re tackling one of the industry’s most urgent challenges: the growing workforce shortage.

The Challenge

The Autotech Group team needed to achieve ISO 27001 compliance as part of their strategic approach to information security. They knew that by building, maintaining, and improving an ISO 27001-compliant information security management system (ISMS), they could ensure the business’s approach to information security was in line with best practices.

“Information security doesn’t stay static. We’re always changing and evolving, making sure our information security is proportionate to what we need as a business rather than just adding in anything we can get.”

Jack Salsbury Head of IT and Information Security, Autotech Group

ISO 27001 certification would also enable Autotech Group to demonstrate to stakeholders that the business met core information security requirements. Many of Autotech Group’s suppliers and partners required evidence of information security compliance, with requirements often beyond the scope of baseline security frameworks like Cyber Essentials and Cyber Essentials Plus.

This made demonstrating effective information security measures crucial to ongoing success: ISO 27001 certification would be a catalyst for growth.

“For us, Cyber Essentials and Cyber Essentials Plus were no longer sufficient. ISO 27001 became that broader next step in terms of certification and being able to evidence our information security.”

Jack Salsbury Head of IT and Information Security, Autotech Group

However, with developing internal ISO 27001 expertise, the team needed additional support to work through the implementation and a platform to consolidate the compliance process.

The Solution

The team employed the expertise of information security consultants, SGG, and leveraged the IO platform to centralise their compliance management. Internally, Autotech Group’s Project Manager, Nadège, provided dedicated project management. She aligned the ISO 27001 project structure and responsibilities with internal resources and business requirements to ultimately ensure successful certification.

Chris Gill, Head of Cybersecurity, GRC and Auditing at SGG, provided support throughout the certification process. He worked with the Autotech Group team to discuss areas of the standard that were slightly ambiguous and shared best practices for implementation. Chris said: “Both Jack and Nadège had a high level of competence when it came to information security. SGG’s role was to provide clarity on the technical requirements of ISO 27001:2022 and consult on how to effectively implement and conform to the requirements.”

“SGG brought clarity and expertise to the certification process, addressing areas of the standard where we needed support.”

Jack Salsbury Head of IT and Information Security, Autotech Group

Jack and Nadège used IO’s 11-step Assured Results Method (ARM) to take a strategic approach to implementation. They also used the platform’s built-in policy and control templates and adapted them to ensure they were specific to the context of the business.

“The platform gave us the framework and the content that we could adapt – our internal ISO 27001 experience was developing, so that was invaluable to support our success.”

Nadège Gavarret-Clarke Project Manager, Autotech Group

Using the IO platform, Autotech Group was also able to map requirements between ISO 27001 and ISO 9001, the quality management standard, and align controls where they overlapped. This prevented the duplication of work and streamlined compliance management across the two standards.

The Result

“ARM gave us a rational way to approach the ISO 27001 standard, and we could use that to then drill down to each of the clauses and Annex A controls.”

Jack Salsbury Head of IT and Information Security, Autotech Group

With this holistic approach to compliance across people, process and platform, Autotech Group achieved ISO 27001 certification in 11 months. The business now has a robust ISMS, and the team are continuing to progress their approach to information security management, committing to the ISO 27001 requirement of continuous improvement.

Autotech Recruit is now one of the only recruitment businesses of its size to have both ISO 27001 and ISO 9001 certification, reflecting the team’s commitment to quality and security.

“IO has given us peace of mind that we can address improvements that come out of our audits and measure those improvements. We can see where we’re at, and when we make a change, we can see the impact. The IO platform gives us a really clear view of what we’ve improved on a control basis.”

Jack Salsbury Head of IT and Information Security, Autotech Group

While successful ISO 27001 certification was the core objective, Jack shared that it was equally important that the standard’s best practices were applied effectively across the business:

“The certification is a byproduct of the journey – we’ve done this to improve ourselves as a business and improve our approach to information security management, end user training and processes.”

Jack Salsbury Head of IT and Information Security, Autotech Group

Autotech Group have booked their next three audits with SGG to ensure ongoing compliance and evolve the maturity of their ISMS. Jack said: “One of the things I found most useful about working with SGG is discussing the expected level of maturity of an ISMS as you go through the journey.”

“It’s been great to see the way Autotech Group have matured their processes and policies since I’ve been working with them. I’m looking forward to conducting their internal audits to determine compliance with the requirements of ISO 27001:2022 and areas of improvement as our partnership evolves.”

Chris Gill Head of Cybersecurity, GRC and Auditing, SGG

Next Steps

The team are working on Autotech Group’s GDPR compliance over the coming months. Using the IO platform, they plan to start with a gap analysis to identify where the controls they implemented for ISO 27001 certification can align with GDPR requirements and where more work is required.