Achieving ISO 27001 certification is no small feat for any organisation. At Pragma it took two years, significant financial investment and a massive company-wide effort – well worth it for the value that the certification will add to the company and its clients. Pragma is now celebrating this recent achievement and joins a group of approximately 200 South African businesses that have also successfully been certified.

Darryl Lampert, Pragma’s Chief Information Officer, explains that in simple terms, ISO 27001 certification is an international standard for managing information security. Certification is voluntary, and it requires organisations to take a risk-based approach to how they manage all data, particularly sensitive data. The requirements are rigorous, and the outcome is a collection of controls that ensure security practices of a high standard.

While ISO 27001 certification is not a requirement for POPIA and GDPR compliance, it displays to the regulators that a company has an Information Security Management System (ISMS) in place. In addition, many of the requirements for ISO 27001, POPIA and GDPR overlap.

“By becoming certified, we are meeting internationally recognised requirements to control and minimise our IT risks,” says Darryl, “and we are providing significant evidence to our staff, clients, contractors and the information regulators in the EU and SA that we take cybersecurity risk and  management very seriously.”

The effects of cybercrime on a company’s brand reputation and financial stability can be devastating. In March 2022, a local credit reporting agency was held to ransom by a hacker group demanding $15 million (R225 million) for over four terabytes of compromised data1. In May 2022, one of South Africa’s leading pharmacy retailers was the victim of a cyberattack in which their third-party service provider was hacked, leading to the personal details of more than three million clients being compromised2.  

"Cybercrime is a harsh reality, and so we didn’t want to approach certification indifferently as a clinical tick-box exercise simply to make our company look safe,” says Darryl. “We were intentionally seeking the real benefits of certification for our cybersecurity, mainly improving our overall cybersecurity posture.”

Achieving certification was very much a team effort. “We are indebted to external consultant Alistair Corder from Apliso for his expertise and support every step of the way. Leon Swart from Sancert and his team provided valuable guidance prior to the certification audit. Internally, there was a combined effort from ICT, R&D Support and Development, HR and Finance. It’s important to be aware that managing information security in a company isn’t the sole responsibility of ICT – it needs to be part of the company culture,” says Darryl.

Being ISO 27001 certified does not prevent a company from being hacked. No company is safe from this, no matter what measures they have in place and how much money they spend. “What certification does do is give our clients the peace of mind that we take our cybersecurity very seriously and have the systems in place to address our risks in an internationally recognised way. Cybersecurity is a journey and not a destination,” Darryl concludes.

This article first appeared on https://bit.ly/3SRidiS