How on earth did we manage before the ISO 27001 certificate?

The starting point 

The business and the processes of Riihicloud have been of high quality for a long time. We have developed our Microsoft Intune-based service for device management for over six years. Within that period, the service has taken giant leaps. The service supports Windows, macOS, iOS, and Android devices. Tens of thousands of customer devices have already been connected to the service, mostly through our MSP (Managed Service Provider) partners. All the procedures and processes have been properly structured and documented, and they are constantly being further developed and follow a certain weekly routine. 

Despite all the efforts, we started to feel pressure from our partners and their customers to obtain formal quality certification. To split the process and accomplish our goal of receiving the ISO 27001 certificate easier, we decided to take an intermediate step, the FINCSC. It comes from the words ”Finnish Cyber Security Certificate”, and it is the outcome of a certification mechanism against various cyber security threats. FINCSC is a cost-effective, nationally recognized certification mechanism for companies of all sizes to ensure business continuity and proper data protection. 

We received this certificate with a relatively small effort in March 2022. The swift certification was all thanks to our already high-class Riihicloud service when it comes to quality and scope. 

The FINCSC certificate led us nicely to the next step, and it was enough for many of our partners. With this move, we postponed the more substantial ISO 27001 investment for months and could focus on other important and high-priority new functionalities and major enhancements in Riihicloud. Still, we all knew in the back of our heads that the investment could not be delayed forever. 

ISO 27001 – choosing the certifier 

At the end of spring 2022, we did a thorough and detailed investigation into possible consulting firms that could do the ISO 27001 certification and later, periodical audits of our service. Three reputable consulting firms were shortlisted. 

An employee of one of our stakeholders recommended the services of Bureau Veritas company that they had used in their ISO 27001 project. Bureau Veritas also met all of our requirements, so we selected them. We felt lucky since we were assigned two experienced certifiers and one of them had already hundreds of accomplished certifications under his belt. 

Preparations for the certification 

The summer holiday season gave me some time to wrap my head around this task. I poured over about 140 controls of the ISO 27001 standard and I quickly noted most of them are useful in our business and many of them were already either completely or nearly implemented in Riihicloud. I also noticed how the Riihicloud Endpoint Management and Analytics functionalities, naturally used in both Riihicloud and Riihisoft for device management assist with implementing many of the ISO 27001 standard’s controls.  

In addition, I noticed there were gaps in our polished weekly routines and processes, such as constant monitoring of user activity and deleting inactive users from the Riihicloud service from time to time. 

The first big and crucial decision was regarding our tools: should I choose Word and Excel like everyone, or decide on something else? We heard and read stories, warning us to avoid situations where Word and Excel were set aside without active use and updates. This was an outcome I wanted to avoid! The decision to use Azure DevOps for our purposes turned out to be an excellent one for many reasons. With that tool, disassembling the 140 controls to tickets in the development phase was rapid and concrete, and observing and documenting the implementation of those was easy due to their visualization. Later, utilizing and further developing the up-to-standards implementation using Azure DevOps fit naturally into the Riihicloud team’s daily routines. In addition to the DevOps project, we had to create only one summary document with Word. 

When the rest of the Riihicloud members arrived from their holiday in August, the project was already up and running and there were ISO 27001 tickets allocated to the team. The most intensive work took a little over one calendar month. 

Certification 

The certification work of Bureau Veritas was divided into three parts: 1) Gap analysis (evaluation of the current status), 2) the first part of the audit, and finally, 3) the second part of the audit.  

The Gap analysis revealed to us that even though our processes were in good shape, there was still a fair amount of things that needed to be documented and fine-tuned. 

In the first part of the audit, the readiness for the actual audit was evaluated. This went like a breeze thanks to the efforts in the summer so we were ready for the audit. 

The actual auditing day of the second phase was challenging and the consultants properly grilled our Riihicloud team. The outcome at the end of September was similar to the one in August: nothing significant to note was found. The certification process ended with a statement that Riihicloud had received the ISO 27001 certification! 

We still had to wait for a few weeks for the official certificate. Bureau Veritas always conducts and audits the work of their consultants as part of the certification process. This double auditing is, in my opinion, a great reflection of how thoroughly they do their job. The official certificate for Riihicloud came in the mail on the 27th of October, 2022 – four months after starting the actual work in June. The duration of the entire ISO 27001 project was around six calendar months from the board’s decision of kicking off the certification investment. The Riihicloud team only used 30 man-days in total for the entire ISO 27001 project. 

I wondered out loud if our project was completed in a record time, but the consultants from Bureau Veritas could and would not confirm this – which is understandable. It did feel nice, however, hearing the consultants praise how certifying Riihicloud was a perfect example of how things should be done. The very same consultant also concluded how using the Riihicloud service helped Riihicloud to achieve this certificate based on how many controls were covered by the service. The consultant also highlighted the use of the Azure DevOps tool in the implementation of controls required by the certificate and further development and documentation. 

Outcome and summary 

The outcome ended up being better than I could have dreamt of. We have received such an amount of congratulations from our interest groups and now that we have this certificate in our ‘’hands’’, it truly assists our business significantly at all levels. 

For example, our stakeholders have shown keen interest in the implementation of our ISO 27001 certificate and our MSP partners have actively used Riihicloud’s fresh certificate in the sales and marketing of their ICT service offerings. 

In my opinion, this ISO 27001 certification has given Riihicloud a giant leap as the company and our service have developed significantly. It fills me with satisfaction to see how applying the standard has been integrated so well into the working environment and how inseparable it has become in the everyday life of Riihicloud. The standard has also given rhythm and structure to the further development of processes and practically no extra work is required in the preparation of future up-to-date standards and periodical audits. 

In hindsight, I wonder how on earth did we manage before the ISO 27001 certification! 

Sami Ojala 

Riihicloud CTO