Why Alpine is Fully Invested in ISO 27001:2013 Accreditation
As an industry leader in test development, psychometric services, and credential management, Alpine Testing Solutions (Alpine) believes that security is a central element to the services we provide. In today’s world, security threats are pervasive. Alpine is fully invested in and passionate about protecting the confidential information and data that clients entrust to us.
“Our clients need to have complete confidence that Alpine is taking the utmost measures to secure their data. We are very serious about our obligation to ensure the confidentiality and integrity of the data our clients entrust us with when using our Test Development and Psychometric Solutions and Credential Management services. Our decision to pursue the ISO/IEC 2700:2013 accreditation aligns perfectly with our security goals,” shared Brian Adams, Alpine’s CEO and President.
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) developed the ISO 27001:2013 as an information security standard to standardize the process for establishing, implementing, operating, monitoring, reviewing, and maintaining an information security management system (ISMS). ISO encourages companies to continually review and improve their security practices.
“In 2019, when we began our ISO27001 accreditation journey, we had already developed a security program but it had not been verified or audited by a third party, and we didn’t have an ISMS. We wanted to make sure we had the right expertise to help us develop our ISMS and to prepare for the required internal and external audits,” stated Blair Harris, Alpine’s COO. “We found Audit Liaison through a referral and determined they were a good fit to help us prepare for accreditation.”
Audit Liaison provides audit and security compliance assistance for small- to medium-sized companies who are implementing compliance processes and seeking accreditation. The Audit Liaison team is made up of financial and technology experts who help companies navigate and implement the compliance process while acting as an extension of each client’s team. They provide as much or as little support as needed.
B. J. Lewis, Audit Liaison’s Chief Operating Officer, consulted with the Alpine Security Committee and quickly assessed Alpine’s infrastructure and business needs. Lewis and team skillfully guided Alpine through the internal audit process and ISMS development to prepare for Alpine’s initial external audit.
A-LIGN, an external auditor accredited by the ANSI-ASQ National Accreditation Board (ANAB), performed the initial surveillance audit in early 2020. On March 30, 2020, Alpine received their initial third-party accreditation ISO/IEC 27001:2013 certification for its ISMS. A-LIGN determined that Alpine had technical controls in place and formalized IT Security policies and procedures.
As Lewis explains, “Alpine has implemented several security measures and countermeasures that protect it from unauthorized access or compromise. IT personnel were found to be conscientious and knowledgeable about best practices. Since the initial audit performed in 2020, Alpine has undergone the formal and rigorous audit process via A-LIGN and continues to earn and maintain the esteemed ISO/IEC 27001:2013 certification for its ISMS. For the 2022 audit, Alpine had zero non-conformities or outstanding items.”
Audit Liaison has been instrumental in helping Alpine successfully and efficiently achieve and maintain the ISO27001:2013 accreditation. Going through the internal and external audit processes with Audit Liaison has also helped Alpine make sure they are meeting expectations, regulations, and ISO27001:2013 standards. Alpine has become more proactive than reactive about security management based on Audit Liaison’s guidance, which has helped streamline processes. For example, Audit Liaison’s recommendation and support in creating a library of documentation to help complete ongoing vendor security questionnaires has improved efficiency and decreased turnaround time.
According to Lewis, “Alpine is used to following best practices with the services they deliver, so they’re on board with following best practices with audit compliance too. Alpine’s processes are continually evolving. When they first started in 2019, Alpine didn’t have an ISMS. Now they have a complete policy and all of the supporting documentation.”
The ISO27001 standard is typically updated approximately every 10 years. It is anticipated that the ISO27001:2013 standard will be replaced with an updated version in the coming year. Audit Liaison continually has their ear to the ground for upcoming changes and is preparing Alpine in advance for certain expected requirements to ensure a smoother transition.
For example, the auditors who conducted recent ISMS audits added cyber tabletop exercises to their audit schedules. These cyber incident response audits enable those being audited to assess their breach readiness by providing insights into their ability and readiness to respond to a cyber-attack. The role-play tabletop exercises and scenarios also addressed issues companies faced during the height of the COVID-19 pandemic when many companies had to transition from employees who were used to working onsite to working virtually instead. Other examples may include how to deal with security during power outages.
Audit Liaison Acting as vCISO
“When Alpine began working with Audit Liaison in 2019, the possibility of having them join Alpine as the virtual Chief Information Security Officer (vCISO) didn’t occur to us initially,” said Adams. “Based on the value that Audit Liaison continues to bring and the positive and productive collaboration between Audit Liaison and Alpine, we are very pleased to announce that Alpine is opting for vCISO services from Audit Liaison with B. J. Lewis acting as our vCISO.“
Having Audit Liaison act as Alpine’s vCISO is very cost effective because it will incur a fraction of the cost of a full-time CISO salary. Lewis will act as a member of the Alpine team to ensure compliance and audits needs are seamlessly met. Lewis will also:
- Spearhead completion of vendor questionnaires
- Provide routine oversight, testing, and reporting
- Interface directly with Alpine’s customer vendor management and information security personnel on behalf of Alpine management, where applicable
- Streamline the prospect information security and risk management RFP process
- Work with internal teams to design and maintain security controls addressing Alpine’s key information security risks
According to Lewis, “Alpine takes certification seriously and is vested in it. They’re always thinking about improving security. Everyone is engaged. The security committee is a robust size and has people from different areas, which feeds good discussion. They have a roadmap of continuous improvement items where they have a process in place. I’m thrilled to have the opportunity to act as the vCISO for Alpine. It is a pleasure to work with a client who is always asking, ‘What can we do better?’