One of the biggest success stories of our company has been the adaptation to ISO 27001 certification made to Gradiant. Because of this we want to explain you how the process has been from the very first moment.
Gradiant is an innovation provider, with thirteen years of experience in technology incubation. In these years it has carried out more than 340 projects for sectors such as aerospace, cybersecurity or health and welfare, positioning itself today as one of the main players in the National R&D&I System.
Gradiant, as a benchmark for innovation and technology development had several standards (ISO 9001 and UNE 166002) but to date did not have any related to information security, and therefore had not implemented an information security management system (ISMS).
Information security is a fundamental pillar and not having an ISMS means that there is no effective protection against different risks and threats and therefore there are no mechanisms to face a security incident with guarantees.
The main objective of the project was to obtain ISO 27001 certification within approximately one year. Another fundamental objective of the project was to consolidate Gradiant as an organization aware of the importance and need to promote information security in companies. In addition, the implemented ISMS had to be integrated into Gradiant’s existing management system.
The first step was to carry out a security audit to check the current status of the company with respect to ISO 27001.
Once the audit was done, Inprosec worked on the different deficiencies in order to get Gradiant certified. Mainly the following tasks were performed:
- Identification and cataloguing of assets: In this task the main objective was to inventory the different information assets. It is one of the fundamental tasks since it is very important to be clear about what information assets the company has (not only the physical ones, but any type that contains information, physical, in cloud…etc), to assign a responsible and group them in the cases in which the controls established on them and the criticality is the same. It is also the basis for working on the risk analysis (next phase).
- Risk analysis: This was one of the phases in which the most time was invested, due to its importance, since the different risk values affecting each asset were discussed with each person in charge. First, the methodology to be followed was defined and documented for future analysis. We worked on defining the possible threats, evaluating the probability of occurrence and impact on the asset, in case of occurrence. Afterwards, the controls/guards implemented in Gradiant were evaluated to assess how much risk they reduced and thus obtain the residual risk of each asset against all the defined threats. For risks exceeding the defined threshold, the mitigation action (reduce, transfer, eliminate or accept) was decided. As a result of this phase, the risk treatment plan (RTP) was obtained, where the specific actions to be carried out to mitigate the risks were established.
- Definition, implementation and improvement of security controls: During this phase the actions derived from the PTR and the actions derived from the security audit were carried out.
- Definition and implementation of an ISMS and preparation for certification: During this last phase, the ISMS was created, with all the associated regulatory framework and approved by Management. In addition, all the documentation for the audit was prepared and finally an internal audit (with an external provider) was carried out prior to the certification audit to identify points for improvement.
The implementation of an ISMS, together with the improvement/implementation of security controls and associated documentation helped us to achieve the following benefits in Gradiant.
- ISO 27001 certification achieved since 2018.
- Consolidate Gradiant as an organization that promotes information security.