ISO27001

With new technology comes new challenges in data security, and as we move away from pen and paper and into a new world of Data Protection and GDPR, we wanted to make sure Cornerstones was up to speed, ready for change and promoting best practice.

At the end of December 2017, we met with an expert consultant, Caroline Kaye, to find out what would be involved to gain ISO27001:2013 accreditation. ISO27001:2013 is an internationally recognised standard that encompasses all aspects of information security across all company operations, systems and management.

We decided to embark on this journey for a number of reasons. Firstly, with the implementation of GDPR looming ever nearer, we knew we’d have to make some changes to ensure that our internal procedures were compliant, and that data was being stored, transferred and deleted correctly. ISO27001 is a great place to start as it forces you to evaluate types of information across the company.

Secondly, ISO27001 isn’t just about getting a certificate and a ‘you’re approved’ stamp, it’s about establishing, implementing, maintaining and continually improving a security system throughout the company forever.

Finally, Cornerstones have some big developments ahead, and we are committed to making sure that we start with a robust application that has been built on the principles of data security and privacy by design.

So what have we done?

There are 3 main steps to becoming certified.

  1. Do a coverage check!
    Using the ISO27001 standard, we sat down an identified all the statements that were applicable to us and highlighted whether or not we had it covered. This helped us create our Information Security Management System, a library of policies, procedures and documents that explain how we look after our company, and all the people, assets and data inside it.

    What we found was that on the whole, we were pretty good at managing risks, and making sure things ran smoothly but although a lot of the processes we needed were already in place, there wasn’t always a procedure written down for what to do.

  2. Practice what you preach!
    We’ve had to start living and breathing information security. Much as it would be lovely to have someone sat in an office managing all of this, it’s impossible to do alone. We have an amazing Information Security Team who make sure things are running smoothly and meet every month to review, update and communicate any changes, but we’ve also had to get all the staff at Cornerstones onboard, as well as our suppliers, contractors, and schools using our materials.

    Earlier this year we contacted all our schools regarding our compliance with the GDPR, and have since updated our systems to give control back to you, so all management of user accounts is now done in school rather than through us.

  3. Get audited!
    The final step is to prove that you are doing what you have said you will do. This is measured through internal audits against the applicable statements. We must audit each one at least once a year, as well as having formal surveillance audits. The formal audits take up to 4 days and are very intense. Our certification body, BSI, come in and spend 4 days looking at all aspects of the business and quizzing our Information Security Team.

On the 9th April 2018 we were told that we had passed, and on 23rd August 2018, we received our official certificate which you can now view on our Privacy Statement page.

We’re delighted that all our hard work paid off, especially in such a short amount of time. The company has gone from strength to strength and we are really starting to see the benefits of having such an efficient Information Security Management System in place.

Our goal now is to build and maintain the high standards that we have set for ourselves so that schools that use Cornerstones Education can rest easy knowing that everything we do has information security in mind.

If you want to find out more about ISO 27001, take a look at the International Standard Organisation’s (ISO) website: https://www.iso.org/isoiec-27001-information-security.html