Reflections on achieving ISO27001 certification and GDPR compliance
Self-reflection is something I've been really focusing on in 2021, and in that spirit here are some of my reflections on leading Aiculus through its ISO27001 and GDPR journey.
I joined Aiculus in May 2020, and I was given the sensitive and strategic task of building the company's cybersecurity posture and resilience. Having worked within the financial industry for 15 years, which is highly regulated with structured processes, I must confess that it was a weird feeling when I joined the start-up world. I used to be a follower of policies and procedures but had no clue what it really took to build them. I was now challenged to be on the other side, where I had to do the groundwork to implement policies and procedures, and build the foundational blocks around risk management and compliance. I was so inspired with ISO that I ended up completing my ISO27001 Lead Auditor certification this year and got the opportunity to interact with some brilliant minds across Australia and the UK. When we completed the Stage 2 audit for ISO27001, the report showed no major or minor non-conformities, and I am over the moon to see Aiculus ISO27001 certified and GDPR compliant.
Here are a few valuable lessons which stood out for me in the ISO27001 and GDPR journey:
From Distraction to Action
ISO27001 contains mandatory clauses and hundreds of controls, which can be quite overwhelming to implement, and resource limitations, in terms of budget, personnel, etc., can get tricky. One of the key things that helped me move ahead with confidence was to see the broader picture, and to be strategic and tactful about how to prioritise control implementation. I learnt about how taking small steps every day, rather than setting lofty goals, can help to achieve small successes worth celebrating. I attended an event a few years ago where I learnt that knowledge is king, data is queen, but delivery rules. Working on ISO has been the best venture for me to experiment with delivery, enjoy failures and learn from them.
When there are resource limitations, one needs to get creative. Therefore, I collaborated in leading an internship program with universities across Australia to onboard interns on specific research projects. It has been amazing to see the commitment and brilliant research work that the interns have accomplished. I learnt a lot about people management, cross-cultural barriers, diversity of ideas and managing conflicts, and was also able to hone my leadership skills. While helping Aiculus achieve its goals, the interns learnt a lot along the way, and most have even been able to secure permanent positions in cybersecurity and data analytics after successful completion of their placement. We lived the Aiculus values by creating a positive impact in the lives of the people around us. One does not need a lot of money or resources to be impactful, only the best intentions and a willingness to help. Today, our success is their success, and their success is ours.
Automated GRC Tools
As a cyber lead, I found the journey to achieve ISO very expensive and stretching resource-wise. I did a survey on LinkedIn to understand what other execs found more time- and resource-consuming in their certification journey. It was not a surprise at all to see that compliance topped the list, followed by people and skilled professionals and then cyber tools. Auditors check for compliance, and it's important to get this right by leveraging specific GRC tools at the very start of control implementation. There are several GRC tools out there, and the most important initial step is to evaluate what is best for the strategic direction. Like Aiculus, many organisations don't simply stick with one or two certifications, but continue acquiring certifications as a key differentiator to show their commitment to security. The choice of the tool is paramount, as it has to be able to evolve with compliance requirements. When I was first introduced to the GRC tool we are currently using within Aiculus, I liked the tool and, as I got more hands-on experience with it, I could see its great value. It challenged me to use all the functionalities, which helped with compliance, and it proved to be very efficient and effective, even during the auditing process. I did not have to maintain spreadsheets, set calendar reminders or have evidence scattered here and there; instead, everything was structured, organised and ready to be audited at any point in time. Though automated GRC tools can alleviate pain points, the choice has a definite role in helping to navigate this tedious certification process, and has allowed me to focus on other business objectives and my own professional goals. I learnt that automated tools are useful and help to get more things done in record time, but risks can only be addressed with interlinked people, processes and technologies.
Attaining certification has never been a standalone process but a collaborative endeavour, and I've learnt so much from all my team members. I'm honoured and humbled to be around people who challenge, encourage and support me one hundred percent. I've learnt that work is not only about the daily tasks we set out to do but the experiences, friendships and growth along the way. The certification journey can be daunting, and articulating security issues in business language is an art which I'm still mastering. I believe that I have been provided with the opportunities, tools and guidance to help me broaden my horizons, to learn and grow my knowledge within the cybersecurity domain. I'm excited to see what the mysterious future has in store to make my story even more rewarding.