Last week, Infosecurity spoke to Arti Lalwani to gain insight into the ISO 27701 standard and why businesses should consider getting compliant with it.
Following that discussion with Lalwani, Infosecurity was introduced to Pete McShea, information privacy officer at Aires and also the manager of enterprise risk and compliance. He had recently gone through the ISO 27701 process, certified by A-LIGN, and he said he completed the certification as a means to attract prime government contractors.
“We do a lot of relocations for companies, including some government prime contractors. I thought, ‘what can we do to attract more of these heavy hitters?’”
Specifically, Aires is contracted to move people and their belongings. “We handle everything from shipping of personal goods to helping people sell their house through connecting them with realtors. We help them with immigration. We help them with language training if it’s in the policy. Basically everything that a company might want their new employee to receive from leaving Chicago and going to Hong Kong.”
Therefore, compliance with a government requirement was only going to be a positive thing. McShea said that A-LIGN did Aires’ 27001 audit, and the company realized that certifying to 27701 would also qualify it for CMMC Level 3, which includes privacy. McShea said, as much of the business it does is GDPR-related, and it has lots of multi-national clients, data privacy is a huge deal. “This seems like it would be an awesome certificate to have.”
Specifically, the CMMC is the cybersecurity maturity model certification that the Office of Under Secretary of Defense for Acquisition & Sustainability is now setting up as the certificate it wants all of the defense industrial base to be certified to do.
“Eventually, if you want to do business with the US government acquisition, you’re going to need a CMMC, probably by the end of this year.” In order to do business with European multi-nationals, he said he has to “establish credibility,” and it does help establish credibility. “I think the credibility is a key point,” he added. “It is a way that I can establish credibility with clients more quickly and develop trust more quickly. That was a huge reason why I wanted to get the 27701 accreditation.”
“It is a way that I can establish credibility with clients more quickly and develop trust more quickly”
So what about the process of audit and certification? Well for McShea, it came during the period of COVID-19 lockdown, meaning the audit was done remotely. “It was a new experience for me and a new experience for A-LIGN,” he said. “In the midst of that remote audit, we were also audited to the 27701 standard.”
He said a lot of audits are done like a school exam with a point in time assessment, but he praised A-LIGN for building a relationship. “They come in once a year, and of course they test the controls, they look at evidence, they make sure that we’re meeting all the standards, but the real value to me in the audit is that they’re going to find some things,” he said.
“They’re going to make some suggestions. They’re going to find some processes that maybe we can tighten up a little bit or some evidence that would be better evidence. It’s just an iterative process, where I can just incrementally get better every time we’re audited. It’s not a one-and-done kind of thing. They come back every year. They take a look at all of our processes. They make suggestions and we just get better every year.”
Back to the 27701 certification, was it difficult to achieve, and did the fact that 27001 had already previously been achieved make it easier? McShea said 27001 “laid the framework for how to do ISO certification” and described himself as “kind of a legal nerd” as he was able to learn everything he possibly could, read as many articles as he could and read the laws from cover to cover.
“I had established a program that was basically compliant at audit. Going through the standard helped me put it into the right order, so that when I presented it to the auditors, it was lined up in the way they expected to see it. However, 27001 was really key in laying the framework of how an ISO program works.”
So would he recommend other businesses to consider getting certified to 27701? McShea said yes, if they have information security processes that rely on PII. From his experience, what would he recommend they do in order to get themselves in order to achieve certification? “Read the 27701 standard as this will allow you to evaluate the maturity of your privacy program. If your PIMS looks good compared to the standard, find an ANAB accredited auditor that you can build a trust relationship with, like A-LIGN.”