ESG Book

Why implement ISO 27001

When you’re working with some of the world’s largest companies, one thing is certain: you need to give them confidence that you have a structured approach to managing the confidentiality, availability, and integrity of data. ESG Book is a technology and data company that provides an innovative platform for ESG (environmental, social and governance). It enables organisations to publicly disclose their ESG performance and access data on the performance of others. As the CFO of ESG Book noted, “We had many of the key elements in place, but we needed to align them with an internationally recognised standard—ISO 27001. While this move was partly driven by customer expectations, it also reflects our broader commitment to always operating at the highest possible standard.”

An implementation team structured for success

ESG Book made the decision to assign three key members to the implementation. The CFO to provide C-Suite sponsorship and bring leadership requirements to the table, the Head of Engineering to ensure the platform elements were considered, and the Head of IT who was responsible for the non-product IT estate. During the implementation, these three roles became what is now known as the RiSC (Risk and Security) Committee, responsible for both implementing the system in the short term, but also for acting as the central driving force for security in the business in the medium term. The Head of Engineering highlights that ‘as a RiSC Committee we recognise that security does not stop once you are certified. The business needs ongoing resource to evolve and refine the system and this is our role’.

The implementation format

twoSB worked with ESG Book across 12 sessions, to implement the ISO 27001 requirements through a combination of policies, procedures, embedded workflows, registers and updated controls. Once the system was implemented twoSB undertook internal audits to give confidence that the agreed ways of working were in place and consistently followed.

Avoiding barriers to adoption

As with all implementations, it is important to pick where to focus and how to set up simple, repeatable workflows that will embed into the way the business functions. During the implementation the team built out the IT help desk, hosted in a well-known ticketing system, to manage everything from access requests and supplier due diligence requirements, through to periodic reminders for key monitoring tasks. The Head of IT says ‘making this system the fulcrum for the everyday tasks, and getting the team to use it was one of the main successes of the project – we now have a single central place for all requests that are easier to track through to completion’.

The feeling of confidence

A key takeaway from the implementation was the feeling that the company now had a structured set of policies and procedures that accurately define how it works against a recognised international security standard. Whether it is with a new starter, or a client requesting the security posture of the organisation, the team now have enhanced confidence that they can explain exactly what is done and how.

Where next…

The organisation was successfully certified against ISO 27001 but know that they will need to evolve the system as they look to continually improve how they work. The RiSC Committee are taking the lead on this, however this group reach outwards to pull in thoughts and expertise from a much wider number of team members.