The ISO 27001 webinar hosted by Etienne LAZARZGRC Project Manager at MyTower, accompanied by Nicolas MOTTEHead of GRC Services at Lyvoc, and Ben RENAUDINEAUAccount Executive at Drata.
ISO project background and implementation
The ISO compliance project began in June 2024. Right from the start, we were faced with a lack of internal knowledge on the subject, apart from a few one-off training sessions received by the development teams. At the time, there was no specific training on security, and even if a few good practices were already in place on the technical side, notably on the cloud, the main challenge lay in the deadlines imposed: compliance had to be achieved before the end of 2024, a requirement that was all the more pressing as our customers expected absolute rigor on ISO.
So the first step was to find an external partner capable of supporting us. Thanks to our network, and the support of partners such as Live, as well as auditors specialized in risk management and certification audits, we were quickly able to collect the necessary data. This enabled us to launch the project in just two weeks, saving valuable time and reducing costs.
As early as August 2024, during the vacation period, we were able to carry out a risk assessment and draw up a treatment plan. The aim was to link each identified risk to the controls of the data platform.
The second phase involved the review of internal policies, controls and complaints management, all carried out simultaneously. This multitasking proved particularly intense, given the deadlines imposed.
The drafting of the policies took four months, based on models and collected data. Starting from scratch on this type of project is a real challenge, but having models to work from was a major asset.
Finally, it's important to emphasize that controls management is an ongoing process: there are always elements to adjust in order to remain compliant with audit requirements. It's a long-term team effort, involving all our staff.
Finalizing the project: Setting up procedures and preparing for audits
The final stage of the project was to review and formalize internal procedures, an essential task which ideally should have been anticipated, but which came naturally with the preparation of the audits.
We have therefore introduced SOPs (Standard Operating Procedures). These SOPs precisely describe MyTower's internal workflow, and are generally the second point analyzed by auditors after the audit of security policies. The aim is twofold: to demonstrate that the procedures exist and that they are effectively applied on a day-to-day basis.
This work, although continuous in nature, was able to be structured efficiently: the first version of the procedures was drawn up in two to three weeks, with the invaluable help of our partners Lyvoc and Drata. They supported us in building the SOPs,interviewing staff and preparing all the documentation required for the audit.
Audits: a step-by-step process
An internal audit was carried out at mid-term, in December 2024, followed by thecertification audit in two phases: the first at the end of December, and the second in January 2025.
Anticipating the choice of auditors is crucial. We started looking for profiles as early as September, to make sure they matched our needs, would be available, and were familiar with the specifics of our sector and our project.
The data platform we use has also helped us greatly, particularly with regard to alerts, controls and checks linked to the information system. This has enabled us to align our practices with the expected compliance framework throughout the year.
Key success factors
To summarize the decisive elements of the project, several points stand out:
- Multitasking was essential: simultaneously drafting policies, procedures, the treatment plan and audits was a daily challenge.
- The use of tools such as Drata and Lyvoc clearly enabled us to structure our work, automate some of the controls and centralize documentation.
- The commitment of top management was the number one success factor. Achieving ISO certification in six to seven months is inconceivable without strong and constant support from top management.
- The mobilization of staff was also decisive, not only in drafting procedures and policies, but also in ensuring technical compliance (for example, by making sure that each workstation was ready and compliant before the audit).
- Last but not least, the choice of auditors is a strategic one: not all auditors work in the same way, and some attach greater importance to certain standards or to document structure. It is therefore essential to select them carefully beforehand.
