As consulting engineers, GPA has seen the world becoming a much more integrated environment, with interconnected systems and important information being shared between clients and providers.

GPA provide various services to their clients, including the remote management of systems (and process controllers) and sometimes GPA receive confidential information regarding projects systems and environments.

While GPA was already certified to three quality standards, they saw that their clients were holding important information and that GPA was managing important systems on behalf of their clients. GPA recognised that they should demonstrate to their clients that they have the systems in place to protect these valuable assets, processes and systems.

It was for this reason that GPA decided to seek certification in ISO 27001 Information security management.

GPA decided to approach ISO 27001 certification as an important business activity rather than mere compliance. Working with their advising consultant, they reviewed the controls described in ISO 27002 and decided to adopt all of the controls.

They saw these controls as features of the standard that would benefit their business. GPA found that ISO 27001 and the controls described in ISO 27002 forced them to critically examine their systems, the way the systems were configured and the way that their staff worked with those systems and the information stored on the systems.

For now, GPA has settled on adopting the controls described in ISO 27002, but recognises that many Australian Government agencies are seeking deeper conformance with the Australian Government Information Security Manual (ISM).

GPA is satisfied that ISO 27001 has the flexibility to work with both ISO 27002 and the ISM.

Even though they already had three other standards, achieving certification in ISO 27001 was not a straightforward adoption of the standard.

GPA quickly saw that ISO 27001 is a deeper, more focused standard than the other standards they already held. The specifications from ISO 27002 make things a little tougher than having documented procedures.

GPA also found that not all certifiers are able to certify in ISO 27001. While GPA had worked with a certifying body for many years, when it came to ISO 27001, they needed to find a specialist certifier.

In 2018, GPA achieved certification in ISO 27001 though TQCSI. This presented a new challenge because GPA was certified in ISO 27001 by TQCSI and by ECAAS for their other standards.

This resulted in some duplicate documentation and duplication of the audits. It also meant that their ISO 27001 was not as integrated into their quality management standard as they would have liked.

So, in 2021 GPA made the decision to change certifying bodies and have the one certifying body conduct all four of their assessments. This has had some benefits, as it has allowed GPA to integrate key parts of their documentation into a single body of work and also consolidate their audits. The consolidated audit and the integration of the management standards has also allowed GPA to adopt a better continuous improvement process across the entire company, encompassing business, management and information.

There are many cybersecurity threats and vulnerabilities and it is through the personnel management and training components of ISO 27001 that GPA has helped their staff to protect the organisation.

An aspect of the controls that they have implemented is regular staff training – this includes short videos which help users understand the risks they face when engaging with computer systems, whether it be crypto-lockers, phishing or regular social engineering.

GPA has also adopted document management systems to help them maintain conformance with ISO 27001. They document the actions they take to demonstrate implementation of the controls and actions to resolve issues.

For this, they have adopted their Atlassian JIRA system to help with control documentation, actioning and remediation. This has become integral to their management of ISO 27001 and has allowed them to streamline the control environment.

GPA is now into their second accreditation period, having been re-certified in 2021. For GPA, this is not a tick-the-box exercise. The stage 1 and stage 2 assessments are important parts of the process to help them develop.

GPA does not like big risks, so all areas of non-conformance are promptly addressed to ensure that they have a clean certification. This is also just part of their continuous improvement process.