PRISM INFOSEC is an award-winning provider of information security services to some of the worldβs largest organisations. Founded by Phil Robinson in 2006, the independent firm now employs 10 staff based at sites in Cheltenham and Liverpool and serves clients across the UK and internationally. Their wide range of services includes but is not limited to: cyber security assessments; governance; risk management; compliance; security consulting; and cloud security.
Building a more resilient business with ISO 27001
“Gaining iso27001 certification has strengthened business resilience for our clients not just from a technical standpoint, but from a financial perspective too.β
Phil Robinson, Managing Director, Prism Infosec
βThere are many consultancies providing similar services out there,β says Phil, βbut our consultants have a different skill set and ethos. They not only have advanced technical knowledge, they also have the business and management skills to ensure their recommendations are practicable and sustainable for our clients.β
As Phil puts it: βThis means that our work strengthens business resilience for our clients not just from a technical standpoint, but from a financial perspective too.β
Not only is Prism Infosec certified to the UK Governmentβs Cyber Essentials Plus scheme but also a certifying body, so they can offer certification services to their clients too. This scheme independently verifies that their workstations and internet connectivity are set up securely to the standard defined by the National Cyber Security Centre.
βWe fully buy into the concept of third party assessments which help build a much more robust business. So, we set ourselves the challenge of gaining ISO 27001 Information Security Management Systems certification,β says Phil.”
βThis is obviously more challenging than Cyber Essentials, so we decided to bring in outside expertise to provide an independent view of our own security and assist with the development and implementation of the management system, without affecting the high standard of quality we provide to our own clients.β
They turned to Charmwood Risk Management, a member of the Alcumus ISOQAR Independent Associate Network (IAN) of ISO consultants.
Founder and MD Anthony Matthews says: βWe talked through the motivation with Prism Infosec to go on this journey and Phil was quite clear that implementing ISO 27001 would bring discipline to the systems they use to protect their clientsβ data, and getting certified would demonstrate that they can be trusted to practise what they preach.β
Talking of his role in supporting Phil and his team, Anthony says: βObviously they already have a lot of technical knowledge in-house as theyβre leaders in the field. But ISO 27001 is as much about how you approach information security from a management perspective, how you develop the policies and procedures and embed the audit approach into your culture.β
It was a combination of this foresight and also good fortune that Prism Infosec implemented ISO 27001 and were certified just a matter of weeks before the Covid-19 lockdown. We asked Phil a few questions about this.
What have the practical benefits been?
Itβs meant weβve been fully prepared in our IT management and business continuity planning. It definitely helped in building our resilience to the pandemic.
As part of the process, we developed a robust set of internal information security policies. Our overall management of IT and documentation has improved.
Weβve also taken further steps to ensure we have a more mature and robust information security management system within the organisation.
What are you doing better/different now that you have ISO 27001?
Through implementing ISO 27001, we have overall developed a more formal approach to IT systems management. Weβve also centralised IT security management given the unique architecture and structure of the organisation. But I canβt give too much away here given the nature of our business!
How has it helped home-working?
The management system instils discipline and rigour in how you plan things. So, it ensured that we had fully thought through all the risks associated with a potential disruption to standard working as business as usual and that weβd improved our disaster recovery planning.
What were the main challenges?
Given the size of our organisation, ensuring all of the plan was implemented in time for our audit!
How do you think ISO 27001 helps build business resilience/continuity?
The planning process for ISO 27001 ensures that business resilience and continuity is a primary consideration for the organisation, and that has proven invaluable. You also need a roadmap in place to review arrangements and to ensure that planning and testing is in line with international best practice. It gives confidence to all stakeholders including staff and clients.