It was at the request of a major client that CIS Group embarked on obtaining ISO 27001 certification. The SME had to get to work quickly to be able to retain this client. But she also discovered that the fruit of her efforts was going to bring her much more than expected.
Posted at 9:00 a.m.
Groupe CIS, an 80-employee SME based in Saint-Jérôme, specializing in the design of software for food distribution and transportation, already had systems in place to protect itself from cyberattacks. But one of its major customers has required its suppliers to obtain ISO 27001 certification, a guarantee of compliance with robust processes intended to protect the company itself, but also its business partners.
“Companies want to make sure that their service providers are not potential gateways to their own systems,” explains Éric Tessier, president of CIS Group, whose software is used in particular by delivery people who transport food products to grocery stores.
The SME could not do otherwise. “Without the certification, we could lose this customer” points out the business manager. Moreover, shortly after this first request, a second major customer made the same requirement. “We realized that this certification was going to be more and more required”, indicates the president of this SME, whose customers are large companies in the food sector.
The company got to work immediately. CIS Group obtained its certification in record time – “just over four months” –, by deploying considerable efforts. The SME has invested a significant sum to obtain certification, to which it adds a recurring annual budget of $150,000 dedicated to maintaining this standard.
PHOTO CATHERINE LEFEBVRE, SPECIAL COLLABORATION
Employees have been trained and are supported. Every month, intrusion tests are triggered. Continuous training has been put in place.
A whole construction site
Investment is not only financial. Time and energy were invested, although at first the task was unclear. “We didn’t know how to react or where to start,” recognizes Éric Tessier. After having surrounded itself with external cybersecurity specialists, CIS Group formed a security committee, made up of people from different departments, responsible for leading the certification process. The company has also created a cybersecurity expert position.
Significant work has been done in the description of the processes. “Reaching the standard wasn’t just about making changes to the design of our software,” notes Mr. Tessier. We had to document the internal processes a lot. Often, they were in place, but they were not sufficiently documented or sufficiently communicated to employees. In the event of an attack, it is these processes that allow the assailant to be repelled.
Employees have been trained and are supported. Every month, intrusion tests are triggered. Continuous training has been put in place.
Cybersecurity must be part of the routine of employees. It’s like starting to go to the gym, it has to be part of everyday life.
Eric Tessier, President of CIS Group
Cybersecurity has also taken on a concrete face on company premises. “We have installed magnetic closing doors, surveillance cameras and an entry and exit register,” explains the manager.
The business manager salutes the efforts made to achieve the objective set by his client, which the SME now intends to put forward. “Today, we use this certification as an advantage over the competition,” says Éric Tessier.
The ISO/IEC 27001 standard in brief
The ISO/IEC 27001 standard “describes the implementation, within an organization, of an information security management system. This standard specifies international best practices and offers organizations a methodical approach aimed at preserving the confidentiality, integrity and availability of information while helping them to mitigate the risks, costs and damages associated with poor data management. information security”.
Source: Bureau de normalization du Québec