Raising the Bar on Security: Brightly’s journey to ISO 27001 certification

Many of our customers come to us through referrals – a reflection of the trust implicit in those recommendations and the reputation we have built up over nearly a decade of delivering outstanding technology solutions across consulting, advisory, cyber security, and managed services.

Demonstrating the standards we hold ourselves to, and how they are maintained, is just as important as the work we do. Unusually for a tech company, we started with our ESG governance first, gaining B Corp certification and then Toitū Climate Positive status (ISO 14064-1).

From day one, cyber security has been a core focus, both from a governance perspective and through robust technical implementation, leveraging leading solutions from global partners including Microsoft, Sophos, and Google. This year, we took the next step and significant investment to strengthen accountability and transparency in our internal information security governance by achieving ISO 27001-2022 certification.

Alongside some seriously hard work from our internal team, we were grateful to partner with fellow B Corp Sensiba, who made the process much easier to understand, provided clear explanations of what needed to be reviewed and why, and helped us meet an extremely tight deadline. We also benefited from utilising the compliance platform Drata, which provided integrations for tracking controls & compliance, along with built-in templates and multiple frameworks to work from.

Through the audit, we have seen the value of being very intentional about how we work, especially when it comes to our processes and sticking to them. We operate a high-trust model, which is a real strength, but ISO demands more – regular reviews, consistency, continuous improvement, and proactive planning for audits are all essential.

What else did we learn?  

• We can’t do it alone – partners, platforms, and a great team are critical to moving things forward.

• It’s all in the details – what you say in one policy must be consistent across related areas and reflected in the way you work

• Bring the whole team on the journey – ISO impacts everyone, so engagement and communication across the business are key.  

Has it changed our approach?

Yes – mainly in terms of formalising and documenting what we have been doing for years already.

Is it the right thing for everyone, and what do we recommend? 

We are incredibly proud to have gained this certification; it was a rigorous and robust process, and it matters for our role as a technology partner supporting clients and their business-critical systems and data.

That said, ISO 27001 is not the right fit for every organisation. It tends to be most valuable for those organisations handling sensitive data (such as IT, finance, or healthcare) and/or needing to demonstrate certified compliance to internal stakeholders like a Board of Directors, or to external regulators, customers or partners.

For others, there is still real benefit in aligning to a recognised framework such as NIST, which embeds good security practices without necessarily requiring the full investment of time and budget that ISO certification involves.