At Stellarmann, we've always taken information security seriously. We understand that we are handling high volumes of sensitive data on behalf of regulated blue chip clients working in the City of London, which can include details of how they are implementing change programmes through to personal details of associates working on projects.
That's why we decided to go through the process of gaining ISO 27001 certification for information security. This allows us to give a level of confidence to our clients about how data is handled, but also to receive independent expert advice on areas where we could improve.
The ISO/IEC 27001 standard enables organisations to establish an information security management system and apply a risk management process that is adapted to their size and needs, and scale it as necessary as these factors evolve.
We were delighted to achieve the accreditation successfully at the first attempt at the end of 2023. Head of Operations Danielle Leggatt took the lead on the project, so we asked her "how was it for you?" and what she'd learned from the process.
How did you find the process?
"We worked with an ISO consultancy, to make sure we had people with experience looking dispassionately at our policies and procedures. We also recruited a full time Operations Assistant, the marvellous Elle, who had experience maintaining an ISO accreditation with a previous company, who was also able to give us the benefit of what she'd learned."
"Our journey began with a very large risk assessment, which was the result of depth interviews with all the heads of departments at Stellarmann. It allowed us to measure our baseline and think about our attitude to risk."
"The good news was that our IT set up was robust and sensible, and a lot of the way we work intuitively, already protected our data securely. We have a high quality training programme around data security that all staff members must complete and good practice is often modelled by the team. As is often the case with fast growing companies though, we just needed to be better at documenting what we do."
"Rather than having policies written for us externally, we wrote them ourselves based on current working practice which made sure they were workable, realistic and not just box ticking exercises. We then enlisted the help of a SharePoint consultancy to create a policy hub, allowing simple access for every member of staff."
What has been your proudest achievement?
"We had management buy-in from the beginning, and getting engagement from everyone was therefore easier than expected (albeit with a bit of 'encouragement.') But what I'm especially proud of is the fact that our team are not afraid to reported suspected data breaches. We don't have many at all, and the truth is, they are most frequently down to human error. For instance, clicking on a suspect link in a spam email. But rather than sit on that and say nothing, our team know to report it, confident that we don't play blame games and just want to find solutions."
Admit it. Did you secretly enjoy this?
"I actually really enjoy process improvement, and I am quietly really pleased that our new policy hub makes finding things so much easier. I am also looking forward to working through our opportunities for improvement, none of which are critical, but which will make our processes better. One example is how we will label our assets to ensure that when we roll out AI tools such as Microsoft Copilot, we won't disclose information that is classified or confidential."