How Autotech Group Drives Continuous Information Security Improvement with ISO 27001

Autotech Group, an automotive and mobility sector specialist, consists of four brands: Autotech Recruit, Autotech Training, Autotech Academy and Autotech Connect.

The business is an award-winning specialist consultancy driving innovation across the automotive and wider mobility sectors. Through bespoke solutions built around the business’s three core areas of expertise – people, skills, and technology – they’re tackling one of the industry’s most urgent challenges: the growing workforce shortage.

The Autotech Group team needed to achieve ISO 27001 compliance as part of their strategic approach to information security.

 They knew that by building, maintaining, and improving an ISO 27001-compliant information security management system (ISMS), they could ensure the business’s approach to information security was in line with best practices.

ISO 27001 certification would also enable Autotech Group to demonstrate to stakeholders that the business met core information security requirements. Many of Autotech Group’s suppliers and partners required evidence of information security compliance, with requirements often beyond the scope of baseline security frameworks like Cyber Essentials and Cyber Essentials Plus.

This made demonstrating effective information security measures crucial to ongoing success: ISO 27001 certification would be a catalyst for growth.

However, with developing internal ISO 27001 expertise, the team needed additional support to work through the implementation and a platform to consolidate the compliance process.

The team employed the expertise of information security consultants, SGG, and leveraged the IO platform to centralise their compliance management.

Internally, Autotech Group’s Project Manager, Nadège, provided dedicated project management. She aligned the ISO 27001 project structure and responsibilities with internal resources and business requirements to ultimately ensure successful certification.Chris Gill, Head of Cybersecurity, GRC and Auditing at SGG, provided support throughout the certification process. He worked with the Autotech Group team to discuss areas of the standard that were slightly ambiguous and shared best practices for implementation. Chris said: “Both Jack and Nadège had a high level of competence when it came to information security. SGG’s role was to provide clarity on the technical requirements of ISO 27001:2022 and consult on how to effectively implement and conform to the requirements.”

Jack and Nadège used IO’s 11-step Assured Results Method (ARM) to take a strategic approach to implementation. They also used the platform’s built-in policy and control templates and adapted them to ensure they were specific to the context of the business.

Using the IO platform, Autotech Group was also able to map requirements between ISO 27001 and ISO 9001, the quality management standard, and align controls where they overlapped. This prevented the duplication of work and streamlined compliance management across the two standards.

With this holistic approach to compliance across people, process and platform, Autotech Group achieved ISO 27001 certification in 11 months.

The business now has a robust ISMS, and the team are continuing to progress their approach to information security management, committing to the ISO 27001 requirement of continuous improvement. Autotech Recruit is now one of the only recruitment businesses of its size to have both ISO 27001 and ISO 9001 certification, reflecting the team’s commitment to quality and security.

While successful ISO 27001 certification was the core objective, Jack shared that it was equally important that the standard’s best practices were applied effectively across the business:

Autotech Group have booked their next three audits with SGG to ensure ongoing compliance and evolve the maturity of their ISMS. Jack said: “One of the things I found most useful about working with SGG is discussing the expected level of maturity of an ISMS as you go through the journey.”

The team are working on Autotech Group’s GDPR compliance over the coming months

Using the IO platform, they plan to start with a gap analysis to identify where the controls they implemented for ISO 27001 certification can align with GDPR requirements and where more work is required.