Acing Our ISO 27001:2017 Certification Process

11 Aug 2022

by Elspeth Crawford

In the early days of developing Ardoq, we were curious about the power of using our product. The thinking was that if we could shine a light onto the experience of Ardoq customers, this could generate invaluable insights for the future. So ‘Ardoq-in-Ardoq’ was born. Since then, the potential of this side project has grown into an essential source of learning at our company.

Continuing the story of how we are getting to know our product from the inside out, we look at the Ardoq product features that helped us enhance our ongoing commitment to security. Making use of our innovative tooling, such as our Engagement Platform, sped up the time it took to implement and complete the ISO 27001:2017 certification process. Not only did we meet the requirements, but our product features also enabled us to do this in a way that would align with our goal of nudging, rather than fundamentally changing, Ardoq’s internal security culture.

Speeding Up the ISO 27001:2017 Certification Process

In March 2022, Ardoq attained ISO 27001:2017 certification, marking the success of a process that moved from initiation to implementation in 12 months. ISO 27001:2017 demonstrates our ongoing commitment to security for our customers. It also reflects a significant achievement on the part of the Ardoqians behind the internal process who leveraged Ardoq product features to complete the process in a timeframe that was significantly faster than most companies.

Certifications such as SOC 2 and ISO 27001:2017 require organizations to thoroughly examine their security. The rigorous checks and balances needed to assure compliance are understandably far-reaching. Often, the unintended consequence of ensuring compliance means that attaining certifications can become time-consuming and may interrupt the day-to-day operations of an organization. An added difficulty comes when an organization needs to change people’s ways of working. Let's dive into the process and explore the features of our product that helped us get there.

Working Smarter, Not Harder

So how did we achieve certification in 12 months without fundamentally changing how we do things? Through a process that Ardoq’s Chief Information Security Officer (CISO), Nick Murison, fondly refers to as  “eating our own dog food,” we used Ardoq-in-Ardoq. The ISO 27001:2017 certification project began with a gap analysis undertaken by independent consultants who measured Ardoq’s existing processes. The analysis showed us where we lined up with the required controls, and the good news was that much of our work was aligned in practice. 

After we figured out what gaps needed filling, the next step was to adjust the remaining processes to ensure full compliance. Keeping in mind the goal to avoid creating a bureaucratic burden for fellow Ardoqians, Nick looked for ways to leverage the pre-existing security culture and work smarter, not harder. That’s where Ardoq-in-Ardoq came in.

Automating Process Governance Through Ardoq’s API

With the method and goals of the mission set, Nick next needed to define and demonstrate Ardoq’s security processes. Beyond simply defining the process, he also needed to monitor and show evidence that they were working. In a less than ideal situation, defined processes ask people to manually document and explain what they’ve done. 

However, Ardoq’s Open API features allowed Nick to tap into pre-existing data, such as people and departments. Combined with data from other systems, such as information about security awareness training providers, Ardoq generated dashboard views that reported adherence to process and results. This was valuable to Nick and his team to identify gaps and deviations. Not only that, but it also provided a foundation for what KPIs to present to upper management. 

ISO 27001:2017 certification process

Taking Control With Application Portfolio Management

Using our own platform established a solid foundation for implementation and allowed Nick to move forward with getting an overview of the company’s security processes and find out:

  • Which applications Ardoq used 
  • Who owned each application
  • Whether access had been reviewed regularly

Typically, this type of exercise would be done in a spreadsheet. Instead, Nick used Ardoq’s Application Portfolio Management capabilities to map applications and enabled him to:

  •  Continually track who is responsible for each application
  •  Search the application inventory
  •  Tap into the relevant data that was already available to him through Ardoq

The quick and easy access to this information meant that Ardoq’s Application Inventory gave Nick a data-driven head start in understanding what assets fit into the scope of the certification process.

Leveraging Broadcasts and Surveys 

Nick kept the process flowing and moved forward by engaging with the Ardoqians whose areas related to the ISO 27001:2017 certification requirements. Using the Broadcasts and Surveys features of Ardoq’s Engagement Platform enabled Nick to reach out to the head of each department and resulted in getting over 65% of the responses he needed within the first week. Compared to a typical approach to reaching out in an organization the typical methods, such as using emails and follow-ups, would have added a significant manual workload. Instead, sending Surveys meant that Nick kept the ball rolling and ramped up the overall efficiency of gathering and accessing the information.

Acing the Process Using Ardoq-in-Ardoq 

Combining features such as Ardoq’s Application Portfolio Management with our Engagement Platform, Nick could draw on Ardoq’s flexibility to: 

  • Find clever ways to automate existing processes around security
  • Speed up information gathering
  • Achieve ISO 27001:2017 certification and demonstrate our ongoing commitment to security for our customers 

The benefits of using Ardoq-in Ardoq weren’t exclusively external. Our product features also allowed us to:

  • Model security processes and procedures 
  • Maintain pre-existing ways of working 
  • Nudge not fundamentally change the security culture
  • Get valuable insights into the user experience of a non-EA subject matter expert when using our platform

From the outset, we focused our mission on carrying out this process without disrupting or derailing Ardoqians. Although our journey of using our own platform has only just begun, the value of having powerful product features at our fingertips during the ISO 27001:2017 certification process builds on how we improve and strengthen our understanding.

Using our product in the same way as our customers grants us the opportunity to shift our perspective and access new insights. The experience of acting as an outside user has heightened our awareness of Ardoq’s features and contributes a crucial part to shaping Ardoq’s continuing growth.

Would you like to learn more about Ardoq’s powerful, data-driven features and discover how they could assist your organization in speeding up change initiatives?

Enterprise Architecture demo

 

Elspeth Crawford

Whether it's writing her own storybooks or contributing to social justice blogs for NGOs, Elspeth sees writing as a powerful communication tool that can change perspectives and connect people.

  
Ardoq Insights & Events

Subscribe to Ardoq's Newsletter

A monthly digest of the latest news, articles, and resources.