Our journey to ISO 27001 compliance and how it’ll benefit our customers 🔒

Hi Martyn. Massive congratulations for overseeing our recent ISO 27001 accreditation! You did an amazing job 🎉 For those of us that aren’t well-versed in IT security, can you tell us what becoming ISO 27001 accredited means?

Sure, I’d be happy to. Essentially, achieving ISO 27001 confirms that we have an Information Security Management System in place. The accreditation shows that we have a comprehensive auditing framework, and that we’re committed to continuously monitoring and improving our security.

Why was it important for Tillo to gain ISO 27001 accreditation and how will it benefit our clients?

As Tillo has grown, so has the size of our clients and the volume of transactions being processed through our platform. While we have always taken information security seriously, we wanted to use the accreditation to formalise our existing security posture. 

Our certification in ISO 27001 should give our clients confidence that we take information security seriously and that we have stringent measures in place to protect their data. 

Unlike the PCI DSS (Payment Card Industry Data Security Standard), ISO 27001 doesn’t just focus on card payments/processing but on all information security and business continuity, ensuring risks to the ongoing running of the business are mitigated.

Can you give us a brief overview of the process and what was involved?

Of course, although it’s quite a long list of requirements so bear with me! I’ll do my best to keep it brief:

1. First of all, we conducted gap analysis with a third party to identify what was already in place and what needed to be introduced.
   
2. We then established a project team with representatives from the main teams impacted.
   
3. Then we worked on documentation. This involved the creation of new policies and updating existing ones to ensure compliance, and also documenting all of our internal processes.
   
4. The next priority was setting up ongoing security compliance training for everyone in the company.
   
5. We then set out 16 security objectives & KPIs to continuously measure & improve upon.
   
6. We built a new SIEM (Security Incident Event Management) system to centralise & manage all logging & monitoring.
   
7. Finally, we set up a regular internal audit process to monitor adherence to our policies.

As you can probably tell, the process was very time consuming and we were being held to exacting standards throughout.

Yes, that is certainly a lot to get through! I’m curious about Tillo’s Cyber Essentials Plus accreditation as well. Can you tell me the difference between the two certifications? 

Cyber Essentials Plus has a narrower focus on IT systems, with strict rules that must be adhered to and demonstrated. The CE Plus certification process involves verification that devices meet the expected standards through the use of scans of your network & computers.

It can be a great baseline to start with but ISO 27001 has a far broader remit as well as a focus on continuous monitoring and improvement.

Do you have any advice for other companies that are thinking of undertaking an ISO 27001 accreditation? 

In terms of advice, I’d start by picking a partner you can work with who has experience with the ISO 27001 process and can help you through it. We have a long-standing relationship with ZeroDayLab who have extensive experience in cyber security, governance, risk and compliance.

Don’t underestimate the breadth of the work though. Although ISO 27001 is focused on IT and information security, it impacts all teams including HR, Operations & Finance.

Also, focus on providing ongoing training and awareness for your employees and get people involved early on so that they understand the process. Ultimately, if you want to really benefit from ISO 27001, it is crucial to embed it into your business processes.

Thanks for your time today Martyn, congratulations once again!

If you'd like to find out more about how Tillo helps retailers and partners harness the power of gift cards, click below 👇