About the Company
Agrimetrics, founded in 2014, is a leading Agri-tech Centre dedicated to revolutionising the agrifood sector through a thriving Data Marketplace that facilitates the sharing, monetisation, and accessibility of data. With a strategic goal of feeding 10 billion people by 2025, Agrimetrics has been at the forefront of utilising data for its operations as opposed to storing data in corporate systems, research databases, and IoT systems.
Agrimetrics’ COO, Benjamin Turner states, “Despite the industry’s heavy reliance on data for operations, information security remains neglected. However, Agrimetrics is taking the lead in securing its information systems and advocating for change within the industry”.
This case study delves into the challenges faced by Agrimetrics in securing its information systems and data, its successful partnership with Risk Crew in developing an effective ISMS, and ultimately attaining its ISO 27001 certification. Additionally, the case study highlights how Risk Crew’s 6-step methodology can be beneficial to similar organisations operating in the digital landscape and highlights the significant benefits of securing information systems through a well-designed, executed and maintained ISMS.
Challenges
Agrimetrics encountered a significant hurdle within the agri-data industry before obtaining an ISO 27001 certification. During that time, data sharing lacked standardisation and security measures were inadequate among companies involved in processing, storing, and sharing agri-data. The absence of ISO 27001 Certification across the industry posed substantial risks to information security, making sensitive data vulnerable to accidental or deliberate compromise or theft.
The urgency of addressing climate change and the pursuit of Net Zero further intensified the challenge. To sustainably feed a growing population with limited land resources, the adoption of technology and the exchange of integrated data and AI-powered insights became crucial across organisations and supply chains.
In addition, Agrimetrics faced the task of establishing a robust framework to ensure the security and integrity of its data. Given their limited prior experience in information security and data protection, they proactively appointed an Information Security Officer to spearhead these efforts. This dedicated professional underwent comprehensive training and collaborated closely with the expertise of Risk Crew.
To address these challenges, Agrimetrics recognised the need to establish a secure and standardised data-sharing infrastructure. This infrastructure would facilitate the seamless exchange of integrated data and enable the utilisation of AI-powered analytics, ultimately enhancing farming operations and supporting sustainable practices.
Objectives for ISO 27001 Certification and Compliance
In commencing this project, it is important to note that the goal was not just to have a “badge on the wall” but to establish a framework that would ensure that the organisation was fully following the ISO 27001 framework throughout all its operational activities. The following key objectives drove Agrimetrics’ decision to pursue an ISO 27001 certification:
- Establishing a robust risk management framework to ensure sustainability and resilience against actual or potential risks.
- Fostering a security culture within Agrimetrics’ operations to facilitate scalability and ensure long-term viability and success.
- Strengthening the security ecosystem to minimise the likelihood of future information security breaches and uphold Agrimetrics’ reputation as a trusted and secure organisation, thereby enhancing customer confidence and loyalty.
Solution Provided by Risk Crew
The journey to attaining an ISO 27001 certification often poses a task. Agrimetrics partnered with Risk Crew to tackle this challenge due to our proven track record of successfully implementing ISMSs and guiding organisations towards certification.
The project spanned over the course of six months and involved four key individuals from the Agrimetrics team, the Chief Operating Officer, IT Manager, Project Manager, and Technology Lead, while the Risk Crew Team was represented by the Client Director and a Security Consultant.
Understanding the peculiarity of Agrimetrics and the industry it played in, it was essential we “conducted interviews with key Agrimetrics business stakeholders to understand the existing risk culture in order to set tone and tenor of the ISMS structure and risk metrics” echoes the Client Director, Risk Crew. Risk Crew’s founding principle for an ISO 27001 implementation is that an “ISMS should be customised to fit a business and not the other way around”.
Risk Crew’s Six-Step Methodology
I. Development of ISMS Framework
The process began with Risk Crew developing an Information Security Management System (ISMS) framework, which served as a clear and unified set of agreed documents to manage the implementation of information security policies and procedures for ensuring the confidentiality, availability, and integrity of informational assets.
To ensure that the ISMS was aligned with best practices established in the ISO 27001 standard, Risk Crew conducted a comprehensive review of Agrimetrics’ existing security policies and procedures, as well as interviews with key business stakeholders. This allowed Risk Crew to understand the existing risk culture and set the tone and tenor of the ISMS documentation and policies.
Risk Crew created a framework aligned to the following ISO 27001-mandated baseline clauses which serve as the foundation of Agrimetrics’ ISMS:
ISO27001 Clause No. | Title | Description |
---|---|---|
4 | Context of the organisation | Understanding the organisational context, the needs and expectations of ‘interested parties’, and defining the scope of the ISMS. Section 4.4 states very plainly that “The organisation shall establish, implement, maintain and continually improve” a compliant ISMS. |
5 | Leadership | Top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities. |
6 | Planning | Outlines the process to identify, analyse and plan to treat information risks, and clarify the objectives of information security. |
7 | Support | Adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled |
8 | Operation | More detail about assessing and treating information risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors). |
9 | Performance evaluation | Monitor, measure, analyse and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate |
10 | Improvement | Address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS |
II. Identification of Key Information Assets
In this step, follow-up interviews with key business stakeholders were conducted to determine the type, volume, and location of information assets that Agrimetrics processes, stores, or transmits. This included information critical to business objectives, intellectual property information, customer, and personal information subject to GDPR compliance, customer credit or debit cardholder data, and information subject to protection by legislation or industry regulation as identified by Agrimetrics stakeholders.
Based on the interviews, Risk Crew created a draft Information Asset Register that identifies the information assets, location, and custodian for Agrimetrics reference. The assets were compiled into groups for ease of reference. This document is a critical component of Agrimetrics’ ISMS and provides a comprehensive inventory of the organisation’s information assets.
III. Conduct Risk Assessment
Risk Crew proceeded to conduct a comprehensive information security threat and risk assessment. We identified vulnerabilities and quantified the likelihood and impact of potential threats to Agrimetrics’ information assets. The findings were presented in a detailed report, which also included recommended remedial actions to address the identified security threats.
Risk Treatment Plan
Furthermore, to effectively manage security threats, Risk Crew developed a Risk Treatment Plan (RTP), which has become an integral part of Agrimetric’s Information Security Management System (ISMS). The RTP serves to regularly identify, minimise, and manage security threats to Agrimetric’s valuable information assets.
The plan outlines each control selected from ISO 27001, categorises and prioritises risks, and presents them in an easily implementable manner. Four methods of risk management are utilised in the RTP: reduce, accept, transfer, and avoid. These measures are consistent with the personal mantra of Agrimetric’s COO, Benjamin Turner, who advocates deleting unexpected communications to avoid being vulnerable to phishing attacks. According to him “If you are not expecting it, just delete it”. This is especially important for senior executives, as they are frequently targeted by such attacks, posing a significant threat to the organisation’s information security.
All preventative security measures required to pass an ISO 27001 certification audit successfully were documented in the RTP, along with information on;
- Current levels of compliance
- Current levels of risk
- Acceptable (residual) levels of risk
- Explicit tasks/actions/deliverables to achieve the residual level of risk
- Task owners, and
- Task timelines
Vulnerability Scanning
Risk Crew conducted Vulnerability Scanning against Agrimetrics’ internal devices, corporate website, and Azure environment to identify any existing security configuration vulnerabilities. High or Medium vulnerabilities were documented within the risk treatment plan for remediation.
IV. Create Policies
As part of the process to achieve ISO 27001 certification, Risk Crew conducted a comprehensive analysis to identify any gaps within Agrimetrics’ business operations, policies and procedures, controls, and the GDPR requirements.
Following the assessment, Risk Crew provided a stand-alone, detailed gap analysis report that outlines all findings and prioritised remedial recommendations required for GDPR compliance. The report included a management summary and a GDPR compliance Heat Map for project planning. This analysis was a critical component of the overall certification process as it ensures that Agrimetrics’ data protection policies and procedures comply with GDPR requirements.
In addition to the GDPR gap assessment, Risk Crew collaborated with Agrimetrics to create all documented policies required for ISO 27001 compliance. The policies were delivered in a framework comprising corporate-level policy statements and annexes detailing the process for meeting the policy. This format ensured that stakeholders only received “need-to-know” information while providing maximum flexibility for Agrimetrics’ governance and compliance objectives. We provided all draft policies required to meet the controls specified within ISO27001 Annex A and they were subject to Agrimetrics’ review and approval before implementation.
Control Ref | Description | No. Controls |
---|---|---|
A5 | Information security policies | 2 |
A6 | Organisation of information security | 7 |
A7 | Human resource security | 6 |
A8 | Asset management | 10 |
A9 | Access control | 14 |
A10 | Cryptography | 2 |
A11 | Physical and environmental security | 15 |
A12 | Operations security | 14 |
A13 | Communications security | 7 |
A14 | System acquisition, development and maintenance | 13 |
A15 | Supplier relationships | 5 |
A16 | Information security incident | 7 |
A17 | Information security aspects of business continuity management | 4 |
A18 | Compliance; with internal requirements, such as policies, and with external requirements, such as laws | 8 |
V. Agrimetrics’ Program Implementation
After completing the comprehensive gap analysis, GDPR assessment, and Risk Treatment Plan, Agrimetrics had a solid foundation for achieving ISO 27001 certification. However, the implementation phase can often be the most challenging aspect of compliance. Therefore, Risk Crew provided Agrimetrics with unlimited email and telephonic support to ensure a smooth and successful implementation process. Our team of experts were on hand to answer any questions and provide guidance on compliance requirements, ensuring that Agrimetrics fully understood the policies and procedures necessary to meet ISO 27001 standards.
Risk Crew strongly believes in the need for knowledge transfer, this was demonstrated through a half-day workshop to review and ensure policy understanding, along with potential implementation issues. This support was critical to Agrimetrics’ success and helped to ensure that their ISMS was implemented in a way that maximised effectiveness and minimised risk.
VI. Verify Audit Readiness
Once Agrimetrics had implemented its ISMS and the necessary policies and procedures required for ISO 27001 compliance, Risk Crew conducted a thorough dress rehearsal audit to certify Agrimetrics’ readiness for the formal Stage 1 ISO 27001 Compliance Audit. Our team meticulously examined every aspect of Agrimetrics’ security infrastructure and processes, identifying any gaps or areas that required further attention. Our comprehensive findings included specific remedial actions to ensure Agrimetrics would pass the compliance audit with flying colours. With our expert guidance, Agrimetrics was well on its way to achieving its ISO 27001 certification.
Results of Project Implementation
Implementing an Information Security Management System (ISMS) and obtaining ISO 27001 certification proved to be a game-changer for Agrimetrics. The organisation meticulously designed and deployed a customised ISMS, resulting in an enhanced security posture, and successfully attained the coveted ISO 27001 certification. Benjamin is proud to state that Agrimetrics have not been issued with a single major or minor non-conformity, either during the certification audits or at any subsequent surveillance audit, solidifying Agrimetrics’ reputation for excellence
The impact of this achievement extended beyond the recognition of its certification. It significantly influenced Agrimetrics’ people and business operations, ultimately leading to a cultural shift towards heightened security consciousness.
Impact of ISO 27001 Certification on Agrimetrics’ Business
The company’s decision to be forward-thinking in achieving an ISO 27001 Certification resulted in a multimillion-pound, seven-year program win with the Department of Environment. According to Agrimetrics’ COO “…this would have been impossible without the certification. It’s made a difference to being able to play amongst the big boys”.
Agrimetrics’ commitment to implementing and maintaining an effective Information Security Management System (ISMS) has resulted in not only obtaining the ISO 27001 certification but also paved the way for the upcoming ISO 22301 certification, with 95% of the groundwork already accomplished.
Agrimetrics also recognises the importance of strategic planning for business continuity, as this is critical to their operations. They have demonstrated their proactive approach to staying ahead of industry trends and challenges. Even before the COVID lockdown, Agrimetrics had already implemented the necessary infrastructure and technology required to comply with the ISO 27001 framework, which helped them smoothly transition to remote operations and ensure the continuity of business.
Overall, ISO 27001 has elevated Agrimetrics’ business positioning in the marketplace, providing a strategic edge in the industry. But, most importantly, it provides significant assurance to Agrimetrics customers, partners and staff.
Conclusion
In the current digital landscape, ISO 27001 certification has become crucial for businesses seeking to establish themselves as leaders in their respective industries. Agrimetrics’ success in identifying a gap in the agrifood sector and streamlining its data collection, storage, and protection processes demonstrates the importance of ISO 27001 certification in achieving this goal. By obtaining this certification, businesses can assure their clients and stakeholders of their commitment to protecting sensitive information and maintaining secure data governance practices. This not only enhances the organisation’s reputation but also minimises the risk of data breaches and cyber-attacks, which can be devastating to the organisation’s operations, finances, and public image.
Specifically, if processing and stewarding data is critical to your business operations, it is a no-brainer to be ISO 27001 Certified. Unfortunately, “the world we live in now is going to be increasingly data-driven and interconnected, businesses can’t escape the reality that they are part of an ecosystem, and a chain is only as strong as its weakest link.” Echoes COO Agrimetrics, Benjamin Turner.