Appointedd and ISO 27001: What it is and how it happened

We’ve got some big news to share with you – Appointedd achieved its ISO 27001 certification!

If you’re scratching your head at those letters and numbers, don’t worry. All will become clear. 

For those who aren’t security experts, ISO 27001 is a standard of best practices for managing information security. As a tech company, specializing in online booking solutions, data security is something that’s really important to us, and an ISO certification is a great way to formalise that. 

We had a chat with Sarah and Gintare from Appointedd’s Information Security Management (ISM) team, the superstars who guided us through this process, to find out more about ISO 27001 and what it means for us and our customers. 

It’s a standard centred on creating an Information Security Management System, which is a way of describing the processes and guidelines governing the way we work in relation to information security. ISO 27001 focuses on three main areas – the confidentiality, integrity, and availability of information and the facilities used to process it. 

When did the process of working towards accreditation begin?

The conversation began well before the process actually started! It’s something we had been talking about for a long time, but we began thinking about it seriously in May last year (2019). After the initial discussions and some in-depth research, we made the decision to go ahead with it. The process really kicked off in June.

Who was involved with it?

We figured we would need a range of superpowers to get Appointedd’s ISO 27001 accreditation over the line – technical and operational knowledge, as well as the drive to turn our plans into action. As ISO touches every area of the business, those involved had to know the business, and how it operates, from top to bottom.

We decided we would have Sarah, our COO, Greg, our CTO, and myself as Finance & Operations Assistant, driving the project, supported by our CEO and the board.

The whole team effectively got involved in the process so we tried to make it fun. We had a few ISO pub quizzes (that got pretty heated) so I think we got the message across!

Can you tell us about the audit — how it’s carried out, who by, and what happens? 

The final audit consists of two stages and is carried out by an independent third party. Stage 1 is about having the right processes in place, Stage 2 is about making sure we are adhering to these processes. During Stage 1 there is a review of Information Security Management System (ISMS) documentation – the auditor is checking if the scope is defined, the risks are identified, the statement of applicability is completed, and whether everything has been documented in company policies and processes.

Stage 2 assesses how the ISMS is implemented – basically, whether we’re doing what we say we do. The auditor checks this through a series of interviews with members of staff. Thankfully everyone at Team Appointedd sailed through the interviews and the auditor was really impressed! We were called out for two areas of best practice, where we had gone above and beyond what was needed. The auditor said that we’d embraced the ISO 27001 standard, the awareness of the standard was threaded throughout the organisation, and that it was clear we viewed the security of our clients’ data as a priority.

When did you get the good news?

The good news reached us on Friday the 31st of January that, after everyone’s hard work, we had achieved our ISO 27001 accreditation! It was a great way to end the week! We had the certificate in our hands by the 10th of February, which meant we could officially share the good news. 

What does ISO 27001 mean for customers and the business?

At Appointedd information security has always been important to us, and we’ve always taken the security of our customer, employee, and business information very seriously. The process of getting accredited was really about formalising a lot of the good processes we already had in place. Our ISO 27001 certificate represents the hard work we’ve put in every day to stay secure, and is proof that the data of our clients, and their customers, is safe with us. 

What happens now? Any next steps?

We’ll have annual surveillance visits for the next two years, and a recertification after three years. ISO 27001 is all about continuous improvement – not only will we be making sure we follow our policies and processes, and reviewing them regularly, but with a view to improving our ISMS and deepening our knowledge in the field.