Wirefast outpaces secure messaging competitors by gaining ISO27001 cybersecurity certification
This case study shows how IT Governance helped Wirefast achieve ISO27001 certification. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on +44 (0) 845 070 1750 to discuss your own ISO27001 consultancy requirements.
Wirefast Case Study
With technology facilities in the UK, USA and Asia, Wirefast employs a highly-skilled team of software engineers and support staff to develop and deliver its communications solutions. Its client list reads like a Who’s Who of global business, including banking and finance, oil and gas, and healthcare. The company is also known for Newslink, a high-availability messaging application used by news contributors and media outlets.
To demonstrate Wirefast’s ongoing commitment to achieving best practice in information security, the Board determined in 2011 that it should achieve certification to the ISO27001 Standard. Paul White, CFO, and Paul Green, Information Security and Operations Manager, approached IT Governance Ltd to guide the in-house project team to meet the requirements of ISO27001 and ensure a successful certification audit at its first attempt.
Wirefast provides hosted and fully-managed messaging solutions that improve, automate and enhance communication-based business processes. The service combines the convenience of e-mail with the added benefits of improved reliability, a full audit trail and the flexibility to deliver in the recipient's preferred format, including fax, SMS, voice and telex. Wirefast gives its customers the confidence that crucial information will reach their clients, when and how they need it, without incurring high costs. Security is an essential component of their business practice and a principal reason for choosing Wirefast’s services.
ISO27001 is an international specification that sets out the requirements for businesses and organisations throughout the world to develop an information security management system (ISMS), paying due diligence and doing what management determines is necessary to protect its data and related information resources.
In 2011, Wirefast selected an IT Governance training course to improve its knowledge of ISO27001. Having completed the course and impressed by the trainer’s expertise in the Standard, Wirefast partnered with IT Governance to provide consultancy support to assist in gaining its ISO27001 certification.
IT Governance consultant, Nick Orchiston, was tasked with taking Wirefast from the gap analysis through to pre-certification audit, together with being on hand to assist at the initial certification audit. Due to the rigorous security employed by Wirefast, there was significant complexity in terms of technical systems, so carefully-planned phases of compliance were deemed the best way forward.
Wirefast recognised that, whilst the company could simply adopt aspects of best practice and satisfy its clients in the short term, seeking full compliance to ISO27001 would ensure the correct emphasis between confidentiality and availability, whilst protecting the integrity of the data. Furthermore it would:
Provide customers with added confidence in their secure services;
Help to promote their organisation to future clients; and
Improve their internal practices.
The latter was perceived as important from the start. Paul Green said: “From our experience gained from the IT Governance course that we completed prior to commissioning IT Governance, we knew that ISO27001 would be a means to develop our management system policies, procedures and controls to satisfy any of our clients. It was one of our requirements that the documentation that resulted should be integral to our business and truly reflect our own processes. What surprised us by adopting the ISO27001 framework, was that our teams had the blueprint in our information security management system (ISMS) for documenting the complete management system, going beyond simply information security, and bringing benefits across the board.
In addition, we wanted a consistent means of addressing security upgrades and systems expansion, factoring in capacity planning and helping us to ensure that no part of our technology system ever operates above 50% capacity. This policy of over-specifying hardware and software has been an important ingredient in our success. For every primary we also have three secondary systems ready to provide generous failover capacity. ISO27001 best-practice security controls, notably 10.3.1, assists us in keeping capacity under review and ensures that information security is factored into systems growth”.
IT Governance provided support at various key phases of the project, transferring knowledge to the implementation team who undertook the necessary tasks. This meant that we owned the system and that it reflected our business, rather being a bolt-on to day-to-day practices imposed by an external consultant. The project phases included:
Management framework; defining scope, developing a policy statement and advice on project team members.
Conducting the risk assessment from asset register through to risk treatment plan and statement of applicability.
Completion of ISMS documentation.
ISMS monitoring and review.
Staff awareness material and delivery.
Internal ISMS audit.
Pre-certification gap analysis/audit dress rehearsal.
Certification audit by BSI (IT Governance expertise on call).
Post-initial certification audit, an IT Governance consultant provided a documentation review and pre-surveillance audit advice. Wirefast called in additional help to support its ongoing commitment to enhance its ISMS in line with business processes, an IT Governance consultant providing further coaching and knowledge transfer.
“Having IT Governance on hand to guide our swift adoption of the ISO27001 Standard and provide ongoing expert support has been invaluable,” says Paul Green. “IT Governance understood the needs of a technology enterprise like ours. Tight control of security updates has always been a part of our attractiveness as a business. We provide secure communications services using the most robust technology platforms – for example, Apache and Red Hat Linux – and we have the fastest turnaround times for checking new systems and upgrades.
Needless to say, we have a highly-skilled technical base, and our team understand the risks involved in a change process. Perhaps for these reasons, we all found ISO27001 had many parallels with the technical security models that we already adopted – our practices were relatively closely aligned to the Standard. What we found, to our great satisfaction, is that the Standard could also help us to develop our management systems. The pillars of information security namely Confidentiality, Integrity and Availability – fondly referred to as C-I-A – corresponded with our own mission to robustly protect confidential data and make it available only to those who need to access it, when they need it. Every one of our 35 team members, including James Powell-Tuck (CEO), fully supported the implementation of ISO27001 from the outset.
I understand that managers in other technology companies think that cybersecurity compliance is an encumbrance – a barrier to doing business – however, our experience has been nothing but beneficial. The attention to detail in the framework and the flexibility in the 133 controls (we use 129 of them) will enable you to achieve the optimum balance of C-I-A for your own data. Security is not a steady state: you need to develop procedures and apply controls that make sense in a given situation and keep such use under review. If you don’t use a framework, you will end up inventing one. By adopting ISO27001, it will help you develop your own formal management system processes – a huge benefit of operating an ISMS. We can now demonstrate our systems to multi-national organisations and know that we are synchronised with their approach. We just ‘click’ with their thinking!”
In May 2012, following the initial certification audit conducted by BSI, Wirefast was awarded certification of the ISO27001 Standard.
On gaining certification, Paul White said, "Wirefast has always been committed to the security of its customers' information. Achieving certification allows us to reassure customers of this commitment and continue to adapt our approach to information security in line with known best practices.”
"Wirefast is one of the most resilient and reliable secure messaging system providers in the world," says James Powell-Tuck (CEO). "Our systems have always been among the best in terms of security, but ISO27001 certification has given us a clear competitive advantage over rival companies that have not adopted the Standard to date.”
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.
Just as we have helped Wirefast to achieve ISO27001 compliance on time and within budget, so we can help you. Call us now on 0845 070 1750.