Energy Assets has successfully completed its ISO27001 information security audit, confirming the integrity of company’s processes and procedures for managing commercial and personal data.
Head of IT James Walker guided Energy Assets through the recent 2-day assessment, with auditors particularly impressed with business continuity planning and implementation in response to the COVID-19 pandemic and its impact on operations.
ISO27001 is the international standard that governs best practice in information security management systems, which involves identifying security risks and putting in place appropriate control methods. Energy Assets has been ISO27001 accredited for six years and undertakes audits every six months.
“The standard focuses on devising and implementing best practice in information security, covering both physical assets and electronic data – and how we manage and control any associated risk,” says James.
“It an increasingly important standard for businesses to hold, not just in protecting the organisation from cyber security threats and safeguarding data, but in meeting strict criteria set down by government and other customers as a pre-qualification threshold for contracts.”
Energy Assets has implemented a rigorous training programme to ensure best practice is embedded in the company’s culture, which includes a mandatory annual elearning module with a pass/fail element for all relevant staff.
“This approach ensures that everyone in the organisation understands their responsibility for information security, which is further underlined by the clear commitment from the leadership team to protecting employee and customer data as part of its governance oversight. When people understand why protecting data is important and how it relates to their daily working lives, then they embrace it.”
In the latest assessment, James and his team navigated the audit with no non-conformities, but he recognises that information security constantly evolves. This is why Energy Assets works closely with third party auditors to test procedures outside the formal ISO27001 assessment schedule and also runs external site penetration tests.
Comments James: “All these steps inform our approach to information security, add value through knowledge transfer and contribute to our business ethos of continuous improvement.”