In December 2024, HLB Mann Judd Melbourne became ISO/IEC 27001 certified. To recap, ISO/IEC 27001 is the world’s best-known standard for Information Security Management Systems (ISMS). It defines requirements an ISMS must meet.

The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system. It promotes a holistic approach to information security: vetting people, policies and technology. An ISMS implemented according to this standard is a tool for risk management, cyber-resilience and operational excellence.

Conformity with ISO/IEC 27001 means that we have implemented a system to manage risks related to the security of data owned or handled by our business, and this system respects all the best practices and principles enshrined in this International Standard.

Similar to all other certifications and accreditations which we have attained, our journey to becoming ISO/IEC 27001 certified was packed with its fair share of challenges, learning experiences and reflections.

We have set out below some of the key insights:

The time consuming and iterative process of preparing, updating and reviewing our suite of internal policies and procedures was the first major challenge confronted by the project team. While we had procured the VANTA application to aid with our accreditation journey, the task of tailoring the required policies and procedures to reflect the actual processes observed was more time and energy consuming than first thought. In addition, we also realised that we needed to implement changes to the way we operated to align with the better practice requirements of the ISO standards.

While challenging, this process was made easier by our CIO Pierre Haila of Jeneva, who was ably supported by IT audit assurance team, comprising our partner – Kapil Kukreja and our managers Harrison Lamond and Amrit Kaur, who guided the overall project team to ensure that we target our effort to required areas.

Through this process, all members of the project team developed new skillsets and expertise in respect of the ISO standards and accreditation process. As an example, Amrit was able to re-familiarise herself with performing some internal audit work as applicable to ISO accreditation process, while Kapil, Harrison and I became more familiar with all facets of the ISO standards and the associated documentation requirements.

Using the VANTA application as part of the process assisted went some way to streamlining the implementation and alignment of the information security controls. Use of the VANTA application allowed the project team to monitor the progress of the implementation milestones as well as aiding with the collation and retention of associated evidence for the audit process. As our IT audit team members were afforded access to VANTA, they developed first-hand knowledge and experience in how to use the application as well as enabling them to develop a better working knowledge and understanding of the various control requirements needed to become certified. This was a great learning experience for our team and will also benefit our clients when we perform future cyber security related reviews.

Other members of the project team also benefited from the implementation process as they gained invaluable experience to the ISO framework as well as being exposed to some of the challenging and critical questions from our executive team along the implementation journey.

For organisations which still harbour reservations about becoming ISO/IEC 27001 certified, our advice is to press on. Afterall, becoming ISO/IEC 27001 certified offers you some of the following benefits:

  1. Increased credibility – it shows that your organisation takes data security seriously.
  2. Improved security – it helps your organisation to implement better practices to protect sensitive data.
  3. Compliance with regulations – it helps your organisations to better comply with legal requirements.
  4. Reduced risk of data breaches – it helps your organisation to reduce the risk of data breaches and the associated costs.
  5. Competitive advantage – it helps your organisations to stand out from your peers.
  6. Improved efficiency – it helps your organisation to improve operational efficiency and product consistency.

This article was co-written by Harrison Lamond, Assistant Manager Audit & Assurance Melbourne.