SupplierGATEWAY is a software-as-a-service supplier management and procurement platform based in California, USA. The company helps buyers and suppliers manage their relationships through integrated tools and powerful cloud-based services. Forina Vong, Network Infrastructure and Security Manager explains how the ongoing support from the CertiKit toolkit and support package assists with the timely development of their Information Security Management System (ISMS).
SupplierGATEWAY chose to certify to ISO27001 to streamline their ISMS and stay competitive within their industry. It was increasingly important as a cloud-service provider to ensure all requirements were complied with, including the relevant parts of the ISO27017 (controls for Cloud Service Providers) and ISO27018 (controls for protection of Personally Identifiable Information) codes of practice.
The biggest challenge SupplierGATEWAY faced from the beginning was the lack of ISO27001 expertise and knowledge in-house. The standard itself is substantial and includes the 114 Annex A controls. The requirements within ISO27001 are in-depth and certification can be a difficult task to take on with no prior knowledge.
Tasked with certifying to the ISO27001 standard, Forina found that, with colleagues and time available to take on the implementation, a toolkit was the best solution for their business. “The great reviews from the website made us choose a CertiKit toolkit. The comprehensive documentation and great support helped make achieving certification easier.” The coverage of the ISO27017 and ISO27018 codes of practice within the toolkit, specifically developed for cloud service providers, were particularly helpful, including documents such as ISMS-DOC-A05-3: Cloud Computing Policy and ISMS-DOC-A05-4: Cloud Service Specifications.
The SupplierGATEWAY team took just over a year to certify to the standard, whilst dedicating 10 – 15 hours per week to the project. The team chose to use the toolkit solely as guidance and didn’t need to call on external consultants for help. Instead, the team made excellent use of the unlimited email support available from CertiKit, describing this assistance as the most useful aspect of the package.
Taking on the implementation of the standard internally proved beneficial to the business, Forina explains “We discovered opportunities for improvement in the way we are running our ISMS. We now find it much easier to provide our prospective clients with our security documentation during the sales process.”
With an increased internal knowledge, an ISO27001 certification and a continually improving ISMS, the team couldn’t be happier with the outcome. “We would definitely recommend the CertiKit toolkit to another company” said Forina. For now, the SupplierGATEWAY team have updated their toolkit support subscription for a second year and are currently working through the new documents released in version 10 of the ISO27001 toolkit to continually improve their ISMS ready for their next annual audit.