In this interview, we want to highlight Sofico’s reasons and recommendations when starting an ISO 27001 certification program as well as the challenges they faced along the way.
This article addresses CISOs contemplating certification and key players in the company who could facilitate the process or use it to benefit their business development. We will talk about the culture challenge, commercial advantages and even the necessity for project management skills.
Thank you to Sven Van den Broeck, CISO at Sofico, for sharing his experience and the fruitful collaboration with our team. Congratulations for getting certified in the defined timeframe!
What were your main reasons for getting ISO 27001 certified?
Of course, one of the most common reasons for companies to start this journey is the need for security governance to face the growing threats. Sven particularly wanted to highlight 3 other reasons that go beyond the security scope.
- Our company growth: With multiple offices, we had a need for more structure and rules to move forward.
- Our customers’ requirements: At first, not being able to positively answer their question ‘are you certified ISO 27001’ was not a dealbreaker. But it entailed an extra internal workload to reassure the client by answering all of their additional questions. But eventually, we felt the urgency and necessity to provide a certificate in order to start new contracts or continue working on existing ones. For service providers, like us, it has become a prerequisite to continue to do business with some clients.
- Be proactive in the face of upcoming, new, or updated National or International regulations: either existing norms become more demanding or new ones appear. This challenging context and regulatory pressure lead us to the decision to implement ISO 27001 to prepare for the future.
What was the scope of the project?
Sofico is a software development company with 8 offices spread across several continents. There are around 350 employees working for us currently.
So naturally, the most important areas were related to our development process and to multi-office challenges (including physical protection, cultural and organisational changes).
However, following the meetings – both internally and with Approach – it ‘quickly’ became clear that extending the scope to cover the whole organisation (including people, processes, and technologies) was the best way forward.
What was the necessary investment in terms of resources and time to complete the project?
We had to achieve our certification before January 1st, 2021 and we had 18 months ahead of us to accomplish it. “It is a good thing to have a clear deadline. Because if you don’t have one, it is easier to postpone. So, the first thing to do was a retro-planning and a roadmap, making sure to be certified by the deadline”.
There were two phases to the project:
- The first phase was used to prepare the company for the next step: Setting up the team and finding the right candidates internally, informing the whole organisation, defining the scope of the project and the roles and responsibilities (RACI matrix)
- The implementation itself took 9 months as it had to be done in parallel for all 8 of our offices across the world
The project could have been accomplished quicker, but we chose to take some extra time during the preparation phase (more info in the recommendations chapter below).
To make the project run as smoothly as possible, we created an internal ISO organisation and identified a Local Information Security Officer (LISO) in each office to take point on any local measures. As CISO, I lead the newly created team and was appointed as Project Manager Accountable.
Why use an external partner to support your certification process?
“Not using an external partner, without having some knowledge yourself or within your organisation is a no go.”
Even having gone through ISO 27001 and internal auditor trainings, it only serves to provide you with insights into what the norm is. It doesn’t provide you with practical information on how an ISMS runs.
“Getting feedback from an external expert, as well as him challenging our approach is exactly what we needed. It helped us to go from theory to real life.”
Using an external partner to advise and guide you throughout your journey sped up our process.
What are your recommendations for organisations and CISO interested in an ISO 27001 certification?
During the implementation phase, project management competencies and resources are key.
“Implementing the ISMS is more about project management than technical ability. As Project Leader, I spent almost all my time ensuring all projects were running on schedule. It is crucial not to underestimate the amount of time needed for project management. So, my first recommendation – if you are a busy CISO - should be to assign a dedicated and experienced project manager or outsource the position if necessary.”
Secondly, when planning the budget for the project, do not consider only the costs for an external partner to guide you (you will save time and money with their expertise, it’s a valuable investment), internal resources and for the audit. But also set aside a budget to purchase the tools necessary to be able to run an ISMS!
Thirdly, it is important to ensure the resources are available, have the right competencies and are onboard with the project. Their cooperation, availability and competence are key to make the process as smooth as possible.
Finally, do not underestimate the importance of the company culture. We could have reduced the time to complete the project, but it could have had a negative impact on our culture. We wanted to ensure we kept our ‘Sofico Culture’. It was a challenge to see how to implement the certification without compromising our way of working. It was vital to ensure everyone in the company understood the purpose of the certification and for them to be able to share their concerns. Furthermore, the feedback allowed us to take a step back and review some of our decisions before proceeding. To get everyone onboard, you first need to share the purpose of the project. Allow people to ask questions and challenge decisions, the outcome can only be improved by making your organisation feel involved.
Why did you choose Approach?
Although originally looking at famous international corporations, we found that the personal touch was missing. And it ended up being the most important aspect in the daily collaboration.
“Our preference was working together with a human-scale company and building a strong partnership”. With Approach, we could benefit from strong expertise to guide us along the way without being just another number.
What was the added value of Approach in the project?
One of their added values was their ability to go from theory to practice. Translating the rules into a real actionable plan requires a strong field expertise and our assigned expert from Approach did it very well!
Secondly, they challenged us and made sure we were thorough enough in our implementation. That’s really key if you want to successfully conduct your project in your timeline – but also to be well prepared for the external audit.
And finally, their availability and flexibility helped us to move forward, not being stopped by an issue. During the entire project, questions and obstacles will appear constantly and having the opportunity to rapidly get good advice and recommendations is crucial.
“Even though we have obtained our certificate, I am sure our partnership with Approach has not ended.”