How to become ISO 27001 accredited using an Agile Approach.

By Shalisa Ogeer and Laura Daly

Introduction

Flo Health achieved ISO 27001 accreditation with a swift timeline of just 9 months and became the first period & ovulation tracker to achieve this industry leading security standard. The independent external audit identified no areas of non-conformances while recognising many areas of excellence which is an exceptional accomplishment.

We will take you through how the processes were defined, implemented and embedded to demonstrate this remarkable level of compliance.

About ISO 27001

ISO 27001 is an international, hallmark security standard that comprises a management system and 114 controls that should be implemented and embedded in an organisation’s processes. Flo completed a total of four audits to demonstrate compliance and gain certification.

Agile Approach

Flo’s infrastructure consists of an extensive collection of inter-operating microservices. Each service is developed, deployed, operated and supported by an autonomous, self-managed and self-organised team. Therefore, when implementing the ISO 27001 project, we had to be sure to apply the fundamental methodologies of agile. Scrum and compliance do not theoretically go conjointly; however, we have seen many advantages to this approach. Here are the top 5 benefits we realised from implementing this security standard using Scrum.

1. More Control: Incremental developments had tremendous value for the project team and stakeholders. The policy creation, evidence collection and all ISO-related work could be broken down into manageable parts and conducted in rapid, iterative cycles. Daily stand-ups, grooming, sprint planning and other regular meetings that are part of the Scrum methodology allowed all stakeholders to share progress, discuss problems and work out solutions as a team. Not only did this make the entire process more transparent, but it also highlighted risks and issues so we could treat them sooner. Scrum complemented our approach as we could have a clearly defined team responsible for the implementation and responsibilities, who often meet to ensure project success.

2. Better Quality: The agile method also enhanced the quality of our ISMS because through each iteration, we could analyse the outputs of the ISMS, identify problems, create solutions and see areas for improvement quickly and efficiently.

3. Higher Stakeholder Satisfaction: As we implemented the ISMS throughout the organisation, project contributors came from different teams. Therefore, it was paramount that we had defined ways of communicating and engaged with them frequently. Scrum ceremonies ensured the project team could regularly check in with stakeholders and the project team/contributors. The sprint demo allowed the team to showcase the project increments to all stakeholders, which allowed for close collaboration and ensured that project stakeholders could provide immediate feedback to the project team.

4. Better Productivity: The incremental nature of Scrum meant that we could deliver a monumental project like ISO27001 in just nine months. Working in 2-week sprints allowed us to break down all the work and make it more manageable. It also allowed us to implement necessary changes quickly during the process and highlight any issues that would impact project success. Scrum allowed us to establish a strong organisation around the project where everyone knew their responsibilities, which also helped us to reduce implementation times and provide a clear definition of who is responsible for the requirements and how to implement them.

5. Return on Investment: Adapting this project to an agile environment allowed us to complete the project faster. Resulting in us staying ahead of the competition and becoming the first period and ovulation tracker to be ISO 27001 accredited. It also meant that we could begin quickly reaping the benefits of implementing this security standard through the notable enhancements in our Security Posture.

The Controls, Process Implementation and Embedding Continuous Improvement

People, processes and technology are the triads of any successful control effectiveness. People are the key to ISO 27001, and each department operates a set of processes. 5 steps to the control implementation.

1. Controls Management : The key to embedding the 114 controls is determining each domain’s control owners. A walkthrough of the control area with the owners will allow you to identify any gaps and risks. Based on the walkthrough, you can rate each control in terms of maturity and document any gaps in a risk treatment plan that is the responsibility of the control owners to remediate and get the control to the agreed business maturity.

2. Policies: The policies are documented for each domain and reviewed by the control owner, who takes accountability.

3. Evidence: Once the control owners embed the processes, they can begin generating the evidence for the relevant audits.

4. Management Review: The Privacy, Security Steering Committee was established , where the governance and management review of all aspects of the ISMS were presented for steer and approval.

5. Audit Training: We trained each control owner on the audit process and the requirements of the standard. This ensured they could discuss how they implemented the controls within their area of responsibility, produced the evidence and explained the organisation’s approach to continuous improvement and automation, which is the cornerstone of any agile tech company.

5 Tips on a Successful Accreditation

We know that becoming ISO 27001 accredited can seem like a daunting project (trust us, we have been there not so long ago), so we wanted to leave you with our top 5 tips for a Successful Accreditation.

1. Implement a robust approach to Risk Management: ISO 27001 is a risk-based management system, so identifying and appropriately managing risk is fundamental and critical for your success. We continuously review and improve our Risk Management process; as the business scales, we must adapt to meet ever-changing market and industry demands while our risk exposure will inevitably continually increase.
2. Get Senior Leadership Buy-in: To grow a positive security culture, we needed Senior management to show others the way forward. The journey to ISO27001 accreditation gave us the springboard to get the organisation talking about security from senior management to new joiners; everyone began to understand the importance of security and that everyone at Flo plays a role in keeping Flo secure.
3. Be flexible: The art of embedding any standard is the ability to implement the requirements into the BAU of the organisation. Therefore, we did not change the organisation’s working methods to meet the standard. Instead, we adapted our approach to compliance to enhance and complement what Flo employees were already doing. Integrate the controls and let everyone form part of the journey from leadership to operational requirements.
4. Prepare, prepare, prepare: audit meetings are never easy to prepare for. You can never preempt what an auditor may request on the day. We found it paramount that we prepared as much as possible for the audits by having a repository of evidence to hand and preparing all control owners as much as possible for various questions in various scenarios.
5. Measuring progress: Our ISO27001 implementation progress featured in company-wide objectives ensured that everyone at Flo was aware of the project’s progress and was part of the journey with us. It also meant that everyone at Flo celebrated the project’s success as we achieved accreditation as a united team.

Conclusion

The journey, hard work, time and effort were rewarding for us. We believe that with an open mind and unwavering tenacity, we could make the best of the situation and not allow the situation to get the best of us. I hope we have helped you see that you don’t need to accept a rigid security standard that will strangle your agility. There is enough room to make it work and strengthen Scrum rather than weaken it. Becoming the first period and ovulation tracker to meet world-class security standards is part of history. We have now built a concrete foundation to pursue other certifications and continue demonstrating Flo’s commitment to security.

There were many key learnings and struggles along the way, but we were successful and hope that sharing our experience and knowledge will help you on your ISO 27001 journey.

Authors: Laura Daly, Security Product Manager at Flo Health; Shalisa Ogeer, ISO Security Manager at Flo Health.