G-Cloud 9 data security: beyond the lollipop lady
With G-Cloud 9 launched this week and security being the talk of the town we sat down with Mark Darby from Alliantist.
Alliantist has been on G-Cloud since day one and was the first (and only) SME of its type to have achieved Pan-Government Accreditation for information security. Their products also include ISMS.online, the cloud delivered information security management system.
Let’s start from the beginning – what is ISO 271001:2013 and why is it important for public sector?
ISO 27001:2013 is an international standard for information security. ISO 27001:2013 aligns closely with the Cloud Security Principles that are at the heart of G Cloud 9 security questions and contract requirements in clauses 12, 13 and 16 of the call off contract.
There is more to the Cloud Security Principles but an independent ISO 27001:2013 certification demonstrates that the supplier takes information security seriously. Having a strong information security posture is important for the public sector because of the valuable information held by the agencies and their need to protect it from a range of threats. Crucially, ISO 27001 is also sought after by the private and third sector too. By achieving that recognised standard, suppliers can also demonstrate their credentials into all sectors, not just the public sector.
Our research shows SMEs with a successful sales record were 50% more likely to be ISO27001 accredited than SMEs with no sales. Can you comment?
It’s almost a moot point now. At the heart of meeting G Cloud 9 requirements is ISO 27001 so quite simply any new business arising from G Cloud 9 is probably only going to go to organisations with ISO 27001 and those that meet the Cloud Security Principles.
We are talking about SME’s here. How much would ISO 27001 set them back?
Many SME’s will initially feel overwhelmed at the requirements and potential costs for compliance as I did several years ago. It is not just the physical cost, it’s the opportunity cost of having your senior management and top talent wrapped up on non-fee earning work. It is why we have set out to help address that with ISMS.online. For a very small investment, perhaps just a few hundred pounds per month it can mean the difference between failure and growth in the future and much faster time to success. How much is that new customer contract worth, your daily rates? It will also help you run a better business and the ‘insurance’ protection will pay dividends too.
Can they not just get Cyber Essentials? What’s the difference?
It’s better than nothing for protecting part of your own organisation from common threats. But CE is woefully inadequate as a certification for smart customers who want to rely on suppliers to process and protect their valuable information in the cloud. It’s a bit like a lollipop lady versus a fully armoured battalion in a battle against the zombies!
G-Cloud 9 just opened with significant changes. Any comments?
It’s a massive shift from recent frameworks and at the right time given the growing contagion facing public services and citizen data. It will be a survival of the fittest now.
Let’s talk GDPR. How will this impact suppliers and how can they get prepared?
Most SME’s will probably wait until their customers demand compliance or leave it as close to May 2018 as possible, which is a major mistake! Doing ISO 27001 now as an investment towards new business on G Cloud also goes a long way to help EU GDPR readiness. The Information Commissioners Office has issued 12 Steps to preparing for EU GDPR which is a useful read but actually digesting the 88 pages of Regulation is sensible too in order to see the size of the task and plan ahead. We’ve already built key elements into ISMS.online.
Finally where do you see things going in the future? Let’s say what’s your vision for data security and compliance ten years from now?
The achievement of standards like ISO 27001:2013 and information security by design will be the norm for starting a business. The same way that health and safety is now. The threats of cyber security will potentially cause loss of life and other significant harm especially within public sector service delivery. So it won’t surprise me to see corporate manslaughter introduced, like health and safety penalties, for careless business leaders who fail to protect their own and their customers’ information assets.