#189 Mintago’s Information Security Success with ISO 27001
The ISO Show - A podcast by Blackmores UK - Tuesdays
Categories:
There have been a reported 9,478 publicly disclosed data incidents in 2024 alone, with that amounting to over 35 million known records breached. It has become clear in recent years that information security isn’t just a ‘nice to have’, it’s a necessity to ensure you and your client’s data are protected. Which is especially the case for those processing personal and financial data, such as today’s guest, Mintago. In this episode, Tom Catnach, Head of Product and Information Security Officer for Mintago, explains their journey towards ISO 27001, the challenges faced and benefits felt from certification to the leading Information Security Standard. You’ll learn · Who are Mintago? · Who is Tom Catnach? · What was the main driver behind achieving ISO 27001? · What was the biggest ‘gap’ identified in the Gap Analysis? · What have they learned from the experience? · What are the benefits of certification to ISO 27001? · What does the threat horizon for information security look like? Resources · Mintago · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:15] Episode summary: Today we welcome guest Tom Catnach from Mintago to discuss their journey towards ISO 27001 certification. [02:20] Who are Mintago? – Mintago are an employee benefits company, who work with companies to help their employees be financially better off. They do this in a number of ways, including: · Finding lost pension pots · Help to save money through finding discounts · Retirement planning · Offering various salary sacrifice products · Helping companies to be more financially efficient with pension salary sacrifice or other national insurance savings · Helping people to be more financially literate [05:10] Who is Tom Catnach?: Tom has a split role at Mintago, his primary role being Head of Product and secondary being Information Security Officer. Through both roles he looks after all the products and offerings as well as the information security across the business, he was also the driving force behind achieving ISO 27001. Outside of work, Tom likes to travel via motorbike, preferring to stay away from the screens and enjoying the sights. [06:30] What was Mintago’s main driver to Implement ISO 27001?: Mintago, and most other businesses by their nature, are required to hold a lot of sensitive data and so have a responsibility to their clients and employees to ensure it’s security. Mintago were looking for a robust framework to base their Information Security around, and what better option that the leading Information Security Standard, ISO 27001. ISO 27001 also offers the assessment of general business practice, and allows for growth and scaling. As a start-up, they wanted to have a solid base for policies, training ect to roll out to new hires as they expand. [08:30] Aligning Standards with core values: Trust is one of Mintago’s core values and they want to give their clients the assurance that they can be trusted to protect their data. ISO 27001 can be compared to the likes of Bcorp as it’s an on-going process. It doesn’t just stop at getting the certificate, you have annual surveillance to ensure you are still compliant year on year. [10:15] What was the scope of Mintago’s certification?: For the initial implementation, Mintago opted to just scope in Product and Customer Service. This was because all of the sensitive data is handled in those departments and they don’t allow access to any other teams, so it made sense to start there with a view to expand the scope after certification. That being said, they still rolled out Information Security training to all staff, and everything has been set-up to allow for an easy business wide roll-out when they’re ready. [11:50] How long was Mintago’s certification journey?: They started their journey in September 2023, in fact it was Tom’s first project with Mintago! Mintago enlisted Blackmores help to implement ISO 27001, and after nine months they have been successfully certified. Tom attributes their ease of implementation to the fact that they are currently a small business, citing that it’s an advantage to implement ISO Standards early while your agile so that your management system grows with you. [14:25] What was the biggest ‘gap’ identified at the Gap Analysis? Mintago are lucky in the fact that they are a new business so are using modern tech, and don’t have the burden a larger site or other physical elements such as rack mounted servers. However, policy, procedure and evidence to ensure they were doing the right thing were lacking at the start of their journey. They did have a good 70% in place and that last 30% was mostly down to having the ability to evidence their compliance. There was also some additional work to do to improve existing policies and procedures. One example of this was having a solid Business Continuity Plan in place. [16:35] Did Mintago experience any significant barriers in addressing identified gaps? Being a smaller business, they were able to adapt a lot quicker than a larger organisation may have been able to. One of the biggest struggles for Tom was getting the necessary technology to aid with Information Security. They needed to show that they had a competent Mobile Device Management Solution (MDM), antivirus and anti-phishing in place. When trying to buy some software solutions, Tom encountered a lot of companies simply not replying to his requests due to Mintago’s size. Many organisations sadly prioritize bigger potential clients, and so it took a while to finally get all the required software. [18:45] Engagement is key - Getting everyone involved with the management system is critically important. Especially with information security as the people most often targeted are frontline workers, so they need to be actively engaged in security. Mintago also has the advantage of being a smaller business, so getting communication out isn’t a hardship and resulted in high engagement. This was benefitted from a top-down initiative via their ‘C-Suite’. Tom also states that you can make any necessary training more lighthearted, team based or interactive, as that’s something that people would want to engage in. It’s also important to stress that any information security training can be beneficial for personal use too to avoid being a victim of fraud or a scam. It can be something people take away to their family members to ensure they stay safe online. [23:10] Did the adoption of ISO 27001 highlight any issues not already considered by Mintago? - The biggest thing was how their internal process could be improved. For example, looking at the scenario of ‘what if our back-ups don’t work?’, ISO 27001 drilled down to ask specifics such as: · How do we recover from that scenario? · Are we 100% confident in our back-ups? · Will they work near instantaneously? · What’s Mintago’s availability like in that scenario? · How do we prevent disruption to our clients during that scenario? So, while they did have back-ups they weren’t necessarily considering the whole scenario, especially if those back-ups were to fail. ISO 27001 ultimately helped to flesh out existing plans to make a much more robust system. In regards to threat horizons, Mintago do practice OWASP and keep the team informed via e-mail, newsletters and GitHub repositories. [25:00] Internal Auditing – A beneficial tool - Tom found the internal auditing process to be very beneficial for Mintago, currently they do a few monthly on average. Blackmores assisted with the audits during implementation to ensure they were in the right place for assessment. Of course, the Certification Body audits were a bit more nerve wracking for Stage 1 and 2 as they would determine if they would be certified. Mintago passed their Stage 1 (documentary review) with flying colours, their Stage 2 (evidence checking) highlighted a few non-conformities that were quickly addressed. Following the Stage 2, they were recommended for ISO 27001 certification. [27:20] Minor Non-conformities aren’t the end of the line – There’s a common misconception that getting a certain number of minor non-conformities during a Stage 2 assessment means you can’t be certified, but that’s simply not true! If an Assessor is comfortable that you are in a good position for certification, they will recommend you. ISO Standards are all about continual Improvement, which is something Mintago are embracing as they continue to address issues raised at audits. [29:00] Benefits of ISO 27001 certification – Benefits Mintago are already experiencing include: Internal Stakeholders – The Team worked hard to achieve the Standard and have embraced it’s core qualities to the benefit of their own Information Security practices. Positive Market Response – Much larger clients who are also ISO 27001 certified now have a mutual understanding of each other’s commitment to information security. Gaining certification early – As a start-up, Mintago are agile and will be able to develop and mature their ISMS (Information Security Management System) as they grow. [31:10] Any concerns on the threat horizon?: As the Information Security Officer, Tom is concerned about new emerging trends in AI led scams. They’re going to be a lot more sophisticated and harder to spot and deal with. Thankfully, even if they are impacted, it will be rather isolated. Tom raises concerns for vital services such as Air Traffic Control which could have dire consequences if they were to be affected by a data incident. However, with ISO 27001 Mintago are in a good place to keep on-top of their threat horizon and have the processes in place to mitigate potential incidents and continually improve their own security. [34:30] In Summary: Mintago are a shining example of gaining certification for the right reasons. It’s not just about getting a badge, they have truly embraced a culture of continual improvement and are utilising ISO 27001 to ensure they have a robust information security management system in place. If you would like to learn more about Mintago and their financial services, check out their website. We’d love to hear your views and comments about the ISO Show, here’s how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List