With GDPR looming, we chat to DutySheet director, Ben Hayes about his approach to information security, preparing for GDPR and why he decided on ISO 27001.
DutySheet* is the UK’s leading volunteer management services. Provided as a SaaS solution it is used extensively across emergency services such as police and fire and rescue, as well as for volunteering within community services and charities.
What prompted you to consider implementing ISO 27001, Ben?
We’ve been supporting organisations across the public sector since we started back in 2006 and as part of our continued expansion, we decided we should be on the Digital Marketplace.
We started to look at the G-9 security requirements and were also aware of the data protection changes being brought about by GDPR.
Information security is critical to our business, our success depends on it. That’s why we invested early on in Cyber Essentials, and perform regular pen tests on our platform.
We already have robust information security policies in place but it’s becoming increasingly clear that customers, stakeholders, and regulators are seeking assurances by way of externally audited certifications.
Whilst Cyber Essentials was a good basic entry-level certification, it was unlikely to give many suppliers the level of assurance they would need that their valuable information assets are in safe hands.
We looked at Cyber Essentials Plus and we know that may have been acceptable to some of our customers.
However, Cyber Essentials Plus still required investment and we decided that was better spent on formalising our existing good practices and achieving a UKAS accredited ISO 27001 certification. ISO 27001 is recognised as the best practice standard and also addresses the security requirements of GDPR.
Whilst ISO 27001 may not be mandated in G-9, we want to meet and exceed customers levels of assurance both now and in the future.
It made perfect sense to invest a little extra now to future-proof our business and ensure we can demonstrate GDPR compliance by May 2018.
How to implement ISO 27001 was a key issue for you – tell us what steps you took?
We were working with AdviceCloud, experts in G-Cloud submissions, and mentioned we were looking for the best approach to achieve ISO 27001 certification quickly and efficiently. They introduced me to ISMS.online.
We’d already looked at a couple of other ISO 27001 software solutions but, on seeing ISMS.online the difference was clear, and this was backed up by the team behind it.
Not only did you have an easy to use ISMS platform, but the built in usable policies, controls, and other content got us way ahead, straight out of the box, the day we started.
We were also delighted when we realised we could prepare to meet GDPR on the platform too.
The ISMS.online team went out of their way to ensure we had the confidence and capability to execute our ISO 27001 implementation. We took advantage of the additional support package and now meet regularly online to address areas we’re not sure on. It really keeps us on track and continues to build our confidence too.
Were there any barriers to adopting the ISO 27001 standard?
We did a lot of research and, as an SME, were fearful of how difficult or time-consuming ISO 27001 might be.
Thankfully we found ISMS.online. You gave us the confidence we could achieve it quickly and at a price that made it affordable for SME’s.
Taking the ISO 27001 approach means we’re also well on our way to meeting the requirements of GDPR. The additional tools in the platform will help us manage some of the required processes, such as Subject Access Requests, on an ongoing basis.
The team at DutySheet are focused on their goal of obtaining ISO 27001 certification and, unsurprisingly, have quickly taken to the ISMS.online solution. It’s a means of not just describing their ISMS but also demonstrating effective information security controls, to the ISO 27001 standard, now and on an ongoing basis.
DutySheet are well on their way to ISO 27001 success and GDPR compliance You could be too...
You could be too…