The fast track to ISO 27001: How CoreStream achieved certification in just 6 weeks (Casestudy by The British Assessment Bureau)

CoreStream recently achieved ISO 27001 certification with BAB. Very much a natural step for the company, CoreStream themselves provide software products based around Governance, Risk and Compliance (GRC). Here, we talk to Richard Eddolls who was responsible for implementing the information security management standard, learning how their GRC Platform helped them achieve certification in just 6 weeks.

Identifying an opportunity in the market for a solution that helps organisations cope with increasing regulatory and ethical obligations, CoreStream developed their GRC Platform to help customers clearly document and manage their policies, risks, processes and controls. ISO 27001, therefore, gave CoreStream an opportunity to walk the talk, whilst certification would give the added credibility from being checked by a third-party. Moreover, they would gain insight from using their software as one of their own clients would.

Initially, CoreStream were visited by BAB for their Stage 1 audit. This visit is intended to establish what organisations already have in place, leaving the client with a Gap Analysis and an action plan to move forward with. Richard Eddolls at CoreStream explained how their preparation began;

“The Stage 1 visit from BAB showed us what deficiencies we had when it came to meeting ISO 27001’s requirements. Whilst we had much in place already, there were some tweaks here and there which would clearly lead to improvements. It was then we used our software, which gave us the functionality to record non-conformities and set actions. It meant nothing could be missed, so we could approach our formal Stage 2 audit with confidence.”

Any thriving business will suffer from growing pains at some stage. As a result, knowing who does what, when and how can become difficult, which is when issues can creep in. These could be from small problems that affect efficiency, to more serious problems that will ultimately upset clients and damage reputation. CoreStream take their reputation seriously so this was a big driver for them.

A successfully implemented management system such as ISO 27001 gives back confidence, minimising mistakes and the associated re-work from addressing them. No wonder then, at a time when there are regular information security blunders hitting the headlines, ISO 27001 has grown in popularity.

Once ready, it was time for CoreStream to be visited again by an auditor, this time for the formal Stage 2 audit. Richard shared his thoughts;

“Despite a number of us working in risk and compliance for several years, we were a little nervous about being the focal point of an audit ourselves. We needn’t have been concerned. As with the Stage 1 audit, the auditors were incredibly helpful and went beyond merely looking for non-conformities by discussing with us ways in which we might improve our management system. Our GRC platform also made the audit process more efficient, being able to access a single system containing all our policies, processes, risks and controls.”

Successfully achieving certification ISO 27001 first time round without any issues was testament to Richard, his colleagues and, of course, their GRC Platform. He explained how CoreStream were keeping on top of things moving forward;

“As our Information Security Management System (ISMS) has matured, our platform is used to build a policy library, providing a permission-controlled online repository for all interested (and authorised) parties to access. Our risk assessment programme is also managed by our platform, supporting the identification, categorisation and scoring of risks to information security. Simply put, the people that need access, can access the right things with a clear picture of where we are overall; it saves us an enormous amount of time.”

He added;

“Fully populated, our platform now supports our operational ISMS. Audit assessments, issue and remedial action management and policy and processes reviews are all conducted using a single platform, avoiding the complexity of using disparate systems. Our Senior Leadership team is able to monitor performance of our ISMS via a reporting dashboard which provides real-time information on the state of compliance at any point in time. In addition, all business processes documented in the system are now ready for reuse, effectively accelerating the management of other internal or regulatory requirements.”

The elimination of needless duplication will stand CoreStream in good stead, as they’re planning to implement other ISO standards – which all share a common structure – in the future.

Richard commented;

“Implementing ISO 27001 with our platform was a great way of practicing what we preach! Better yet, it helped us achieve certification from scratch in only 6 weeks. Now, we’re delighted to be able to show our clients that we meet an internationally recognized standard; hopefully reminding them that they made the right choice in choosing us.

From an internal point of view, we can now take on the other standards safe in the knowledge that the impact of doing so is reduced. Our longer-term aim is to ensure that all controls implemented within our business (possibly as a result of regulation or legislation) are documented and assessed in the same way, increasing the value of having a single, collaborative system.”

CoreStream are offering a free demonstration to fellow BAB clients of their GRC platform to show how it can save time and hassle in managing ISO certification and other regulatory or ethical requirements. You can contact CoreStream directly on 020 7100 4378 or email info@corestreamuk.wpengine.com.