How Utonomy achieved ISO 27001 first time with ISMS.online

The Challenge

The business supplies customers critical to national infrastructure who face stringent regulatory requirements. As such, the Utonomy team knew that achieving ISO 27001 certification was a must to demonstrate the company’s proactive information security stance to customers, stakeholders, and prospects when tendering.

Utonomy already had a basic information security management system (ISMS) in place due to the work the team had done to achieve Cyber Essentials certification. However, they knew that the business needed a more comprehensive ISMS to achieve ISO 27001 certification successfully. The company needed a platform to make ISO 27001 implementation and ongoing compliance as easy as possible.

“We recognised that we were going to need ISO 27001 in terms of our relationships with our customers; the industry was becoming more security aware. We’d done a fair bit of work around Cyber Essentials, but we thought, ‘we’re going to need to step up our game.’”

Steve Lewis CTO & CISO, Utonomy

The Solution

Utonomy chose the ISMS.online platform for ISO 27001 compliance and certification, building out all its ISO 27001 policies, trackers and evidence under one roof. Using the platform’s pre-built policy templates as a starting point, Steve and his team expanded on the templates to suit Utonomy’s specific security objectives and ensured they had comprehensive knowledge of the policies and controls making up the organisation’s ISMS.

“We’ve got lots of stuff in the trackers because they’re easy to use,” said Steve Lewis, Utonomy’s CTO and CISCO. “It means that the people who need to be tracking security incidents aren’t likely to do it somewhere else, like a note in a book or in one of our other systems. And that makes it easier to manage and easier to audit.”

The business migrated product risk documentation into ISMS.online to proactively manage product threats and controls within the platform using the risk register and risk tracking. With the linked work feature, Utonomy mapped over 60 risks and associated controls and can now easily monitor and manage product risks rather than updating documentation manually.

“In this new form, it will be much easier to update when we launch new product features or product changes. It’ll be a less onerous, daunting task to try and work through the things we need to change.”

“The templates gave us a structure, and it was an educational way to look at an acceptable description of a process because when you’re coming in cold, it’s always difficult to know how far you have to go with documentation.”

Steve Lewis CTO & CISO, Utonomy

The Result

Utonomy achieved ISO 27001 certification first-time within a year and has successfully passed two surveillance audits, demonstrating the team’s commitment to continually improving the business’s security posture.

The Utonomy team has now started to explore new ways to use ISMS.online for more efficient compliance. For example, the business uses the policy packs feature to deliver and monitor staff security awareness and training. Utonomy then uses these policy packs as evidence that everyone in the business has completed the required training, as the policy pack shows when an employee has ticked off the training activity.

Steve was delighted with their experience: “I’m very pleased with the ISMS.online platform, it did what it said on the tin, and it definitely did help us get our ISO 27001 first time.”

The business also engaged with ISMS.online’s support team to discuss an additional bespoke feature to support the business’s threat modelling capabilities and implemented those features when ISMS.online support provided this within a short timeframe.

“The ISMS.online technical support is second to none, the first line support guys are very knowledgeable about the product and extremely helpful. Impressively, when I’ve needed to do something that is not technically supported by the product, they have worked behind the scenes to help me out and solve my problem within a few days.”

Steve Lewis CTO & CISO, Utonomy

By innovating with the ISMS.online platform, as well as managing ISO 27001 compliance, Utonomy continues demonstrating its strong security stance to external auditors and positions itself as a trusted supplier for its critical national infrastructure customers.

Utonomy also received high praise from an independent consultant who reviewed its security measures as part of a pilot programme for security in startup innovation. By giving him limited access to its ISO 27001 project in ISMS.online, Utonomy achieved an extremely positive report.

What’s Next?

After successfully completing its ISO 27001:2013 surveillance audit, Utonomy is preparing to update to the latest version of ISO 27001, the 2022 iteration of the standard.

Steve and his team are also mapping the company’s product and ISMS controls to the National Cybersecurity Centre’s Cyber Assessment Framework. The team can then produce pre-made content to help customers complete risk assessments around Utonomy as a supplier and show how the product aligns with the Framework.