The IT security climate has changed dramatically, and our decision in 2017 to become ISO 27001 certified is paying off! Our proactive efforts have put us in an enviable, strategic position.
Data privacy in market research is critical, and The Olinger Group has always been aggressive in our efforts to maintain data confidentiality, integrity, and availability (a.k.a. “CIA” in information security parlance). But the ISO 27001 standards and certification took us to a whole other level.
Instead of reactively responding to threats, we proactively safeguard data with our established, tested, and well-oiled policies and procedures. This gives us and our clients layers of security most businesses don’t have in place.
And I am happy to announce that we just passed our ISO recertification audit! We are seven years strong, and only getting better!
What is ISO 27K?
ISO 27001, or ISO 27K for short, is a well-respected international set of standards for how to establish, implement, maintain, and improve an information security management system. In other words, it is a collection of the best of the best practices – the gold standard – of how to keep sensitive information safe.
Back in 2017, I knew we had great protocols in place, and we were compliant with HIPAA and other legal requirements. That wasn’t enough, though. Clients started asking if we were ISO 27001 certified.
The handwriting was on the wall. We knew the demand for data security would increase, although we didn’t realize how much and how fast! We also knew it was just a matter of time before clients and the market research industry in general would require an ISO 27k certification.
So, we jumped on board and started the process.
What are ISO 27K standards?
The standards – and there are a lot of them! – help you identify, address, and manage every possible risk or vulnerability threatening your confidential data.
Basically, they force you to question everything:
- What do we have?
- What are we missing?
- What if?
- What then?
- Who? What? Where? When?
- Why? Why? Why?
You create policies that cover each standard, and then, during the annual audits, you prove that you are actually doing what you said you would in the policy.
Getting ISO 27K certified
It took us a year to roll it out. Don’t get me wrong; we wanted to do it faster. It’s like weight loss – how great would it be to lose 20 pounds in one month! Let’s do this!
But it takes time. You need to implement one or two things at a time and see if they work before making more changes. Otherwise, you risk crippling your business.
Stretching it out over a year allowed us to do it right. Rather than pushing too quickly, we did the following:
- Looked at a process from every conceivable angle
- Tweaked it a little to meet the standard
- Wrote a detailed policy
- Collected evidence on everything
- Asked if the revised process works
- Adjusted the process and policy, if necessary
- Gave the stamp of approval to the process
- Moved on to the next process
Don’t check the box
I remember as a child seeing people slap a home security sticker on their window to trick others into thinking they had a security system. It looked impressive, but there was nothing there.
I didn’t want that for The Olinger Group. I didn’t want to slap, or place, an ISO logo on our website unless we fully integrated the standards all the way through our business. That is the only way it would be real. Plus, I knew that if management didn’t take security seriously, how could we expect our employees to do so?
Getting certified is a heavy lift, and there were times it felt like overkill. We wondered if it was worth the extra work and effort. Now I know absolutely that it was. We have a system in place that protects us in ways I didn’t even know we were going to need.
More and more I hear business leaders – not just in market research, but all around – lamenting the scary state of data security. They would like to be ISO 27k certified, but they know it is going to be very difficult to roll out now because the environment is getting more complicated and complex by the hour.
I am very happy and proud of the fact The Olinger Group got certified seven years ago. It’s not that I ever sleep any easier over risks and threats, but I know we are doing our part to get ahead of it. Our investment in ISO 27K has paid off. We proactively manage, update, and improve our system instead of reactively responding to threats.
We can prove that we are doing everything we can to keep confidential data secure.
If you liked this or any other blog, feel free to leave us a comment and also subscribe so you can be notified each time we post.
