Introduction
Blacknight have data centres in Carlow and Dublin and peer directly with INEX, as well as several other locations around Europe for super-fast connections to the wider internet.
In this case study, Blacknight speak on their experience with ISO 27001:2013 Information Security Standard. We explore the challenges they faced, then why they choose ISO certification as the solution, the objectives they set, the benefits they have encountered from it.
Followed by information on ISO 27001:2013.
The Challenge
In 2016, we [Blacknight] already had existing systems in place for the security of data, but we quickly realised we needed something more. Initially, we were looking to provide some assurance to our customers that we were serious about securing the data they entrusted with us. As the company grew, we realised that managing security was becoming more difficult without a framework to work within. Increasingly, enterprise level customers were asking for certification and evidence of compliance we realised certification was necessary to compete in that space effectively.
Because of the rapid developments in technology and continuous threats online, our customers now expect us to have the highest standards of security management systems in place, where we can reassure our existing and potential customers that we meet those standards with our ISO certification.
The Solution
First and foremost, to have a risk framework to work within to ensure we were controlling, monitoring and measuring what needed to be managed from a security perspective, and that the framework was externally assessed regularly thus avoiding complacency setting in. The cyber threat landscape has changed over the past 5 years and the risks to business are growing. Senior management, regulatory bodies, existing and potential customers need assurance that we are aware of and can adapt to the threats.
ISO 27001 is internationally recognised as a security standard. Because it maps closely to privacy (GDPR) and NIS compliance requirements it simplifies the process of demonstrating security compliance to regulatory bodies and to customers. For example, lengthy third-party supplier questionnaires, contract queries, privacy queries can in many cases be circumvented by providing the certificate as evidence of compliance.
Business Objectives
Being ISO certified for us is not only about following best practises but also how we communicate that with our customers, so they are reassured we are following the highest standards. The benefits of being certified allows us to increase transparency and assurance for our existing customer base. Not only does our certification build on existing relationships, but it also helps to develop relationships with new customers by having that extra trust signal.
The increasing demand for cloud, dedicated servers and colocation services was (and is) a key driver to growing our business. Security is a key component of the value chain, aiming to meet those customer value added needs is where we aim to differentiate ourselves from our competitors. Having a framework that is consistently being assessed and developed is something that we continue to aim for.
Having a framework means that we are always developing our internal processes for ongoing security assessments, as well our preparing our strategy for business continuity. The initiative helps us to continue to grow and develop our brand equity by having a strong and trustworthy brand.
Benefits of ISO 27001:2013
Being ISO certified has enabled us to develop and grow our enterprise business. The certification has ensured that all staff has training on a regular basis which means that all our staff understand the importance of information security management and are more vigilant and aware of ongoing threats. This training is reflective when our customer facing staff can communicate that effectively with new and existing customers, which has assisted in the growth of our enterprise business.
Increased cyberthreats and customer concerns, further compounded with privacy requirements when GDPR was enacted. We needed a framework in place that ensured we were constantly improving and managing security because of the ever-changing threats in the online world, thus ISO 27001 was ideal for our needs. Implementing ISO 27001 made us consider our security posture from many different angles including suppliers, business continuity, physical and logical access to data.
The implementation was timely and prescient because it reduced the workload involved in GDPR and the subsequent growth in customer queries relating to security. As a DSP it also reduced the workload involved in demonstrating NIS compliance and has helped foster relationships with the NCSC / CSIRT.
What is ISO 27001:2013 Information Security Management?
ISO 27001 is the international standard which is recognised globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardised requirements for an Information Security Management System (ISMS). The standard adopts a process based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.
The ISO 27001 standard and ISMS provides a framework for information security management best practice that helps organisations to:
- Protect client and employee information
- Manage risks to information security effectively
- Achieve compliance with regulations such as the European Union General Data Protection Regulation (EU GDPR)
- Protect the company’s brand image
