There’s often a perception that SMEs in the creative world can be a little bit cavalier when it comes to information security. No processes, evading audits, using smoke and mirrors with customers. I know it’s the wrong perception, but I can see why it exists.
I’ve been at 383 for almost seven years and in that time, I have seen the advent of GDPR, implemented data protection impact assessments, validated cross-border data transfers, developed umpteen data-based policies, and considered the impact of how our teams securely access and process information in the world of remote working.
We are always on the lookout for how we can consistently improve and manage information security, and give our clients and partners all the confidence they need to trade with us. And, at some stage you have to look beyond yourself for a better way to do things - and input a method that gives clients and partners maximum confidence in security and how you operate.
When we’re developing products for our customers, we could be building something that’s going to be processing thousands of confidential records a day. That’s a lot to consider and it’s far more appetising to govern it all under one framework, preserving the integrity, availability and security of all the information in our midst.
We wanted our clients to be assured that their confidential data is handled with utmost care, protected against unauthorised access and breaches, and bring a uniform approach to information management across our business.
We needed an accreditation that signified 383's compliance with internationally recognised standards, demonstrating our dedication to maintaining the integrity, availability, and confidentiality of client information.
So, back in 2022, we decided to pursue the globally recognised ISO 27001 standard for Information Security.
You can call it a growing up moment, but really this was about maturity. We needed a system that allowed us to audit and regulate our policies and processes - everything from secure development, to staff training and device management.
The Information Security Management System (ISMS) template from the standard gave us all the guidance we needed to develop a living, breathing and consistently improving ISMS within 383.
A team effort
Bringing together a cross functional team with experience across customer, user, supplier, staff and candidate data points was our first port of call.
Between us, new policies were developed, processes reviewed and iterated, we established a risk register and identified opportunities for improvement, and set up our first Information Security board.
We had several months to prepare for an independent audit with NQA, and while that seemed daunting, the majority of our work was already done. We just needed the ISMS to bring all our information security policies and practices together, review what we had, and make it consistent.
We also set up effectiveness registers to internally audit areas such as staff knowledge, asset logs, and software maintenance. And the best thing, all of it structured in a way for us to regularly review and improve how we do things.
I’m chuffed to say we sailed through our audit and achieved ISO 27001 accreditation a few weeks ago.
It’s a significant milestone for 383, and means our clients and partners can be more than reassured that their information is safe with us.
We can give them our certificate, and full access to our ISMS in a heartbeat, safe in the knowledge that we’ll be working even harder to improve it all again at our annual audit next year.
By sticking to ISO 27001’s unified framework, our clients gain peace of mind, knowing that their data is safeguarded and handled according to stringent security protocols here at 383.
Our ISO 27001 accreditation removes any doubt that as a creative agency, we don’t take information security seriously, it strengthens our client-agency relationships, offers transparency, and instils confidence in our ongoing commitment to data protection.