Blog

Implementing an Information Security Management System (ISMS) at a conversational AI scale-up

July 8, 2021

By: Gry Evita Sivertsen, Security Manager, boost.ai

Boost.ai’s security manager, Gry Evita Sivertsen, details why ISO 27001 certification has been a top priority since the company’s founding in 2016

Since its founding, boost.ai has always taken security and privacy with the utmost priority. Our management team has long understood that providing rock-solid compliance for our clients was a must-have in order for the company to stand out and succeed in a crowded market.

This led to the decision early on to pursue ISO 27001 certification - something that we officially achieved as a company in May 2021.

Gry Evita Sivertsen, Security Manager, boost.ai
Gry Evita Sivertsen, Security Manager

ISO 27001 is based on building an Information Security Management Systems (ISMS) which essentially is a set of implemented policies, processes, procedures, technical and organisational measures for tackling security risks. The focus of an ISMS is to ensure business continuity by minimizing security risks to information assets and limiting the impacts of security breaches. An ISMS provides a systematic approach for managing an organisation's information security. It's a centrally managed framework that enables  management, monitoring, review and improvement of information security controls.

An ISMS is important to secure information in all its forms and implement appropriate measures to be protected against unauthorised access, use, modification and destruction of information.

My background in security/compliance at boost.ai:

Straight out of school, after finishing my degree in computer science, I interviewed at boost.ai. During the interview process I spoke about my bachelor assignment in which three groups were assigned the task of building a fictional company, configuring their network, and then hacking and collecting as much information as possible from the companies of the competing groups. The assignment provided insight to how easy it is to steal information if security controls are not in place to protect it, sparking an interest in me in information security and cybersecurity.

I was fortunate enough to be assigned with the task of getting boost.ai ISO 27001 certified, and what a journey it has been.


Laying the groundwork in a fast-growing company

Implementing an information security management system for a scale-up of boost.ai’s size is not an easy task. The first step was to actually identify what the company was doing, what process areas did we have, what policies did we have and how was it all connected. 

I had meetings with all the separate teams in the company to identify what they were doing. This was done using post-it notes to figure out what was done where, and how it was all connected. As the company had just been founded, there were no set processes, people were doing things they had never done before and everybody contributed to ensure that what needed to be done got done. 

The company was growing at a high speed, roles got more specific, routines were established and the company overall was becoming more and more corporate. Identifying the processes in order to build the ISMS on top was not easy as things changed so rapidly - sometimes even weekly we would change how we were doing things. This was because the company always wanted to do things in the best possible way, and we learned by doing. Also, because we got more and more people on board and could assign specific tasks to different employees. We started to see new areas we needed to cover, and needed new people getting on board - and all of this would have to be mapped to fit into the ISMS we were working towards. In parallel, our clients had strict security requirements we needed to comply with and also fit into the ISMS. As the company kept growing, roles, responsibilities and processes got more defined and it was logical to where we would implement the specific controls. 

Rock-solid security from the ground up

With a more defined company structure, there was a need for logical storing of documentation as well as mapping of the standard security controls and the identified risks. We reviewed suppliers of such systems, but there seemed to be something missing in all of them and we did not wish to replace the systems we were already using - what we really needed was a way to connect it all.

Then the idea came, why not just build a setup of our own - that way we could build it to be a perfect fit for our needs. We decided to implement a company Intranet for document storing and referencing to other systems. Then for the mapping of the security controls and risks I built a system that included details such as implementation method, links to relevant documentation, the identified risks and objective measurements to validate compliance to each individual security control. I am very proud of this setup, and to have the auditor praise it felt fantastic. 

boost.ai achieved ISO27001 certification in May 2021
boost.ai achieved ISO27001 certification in May 2021

Boost.ai is an ambitious company, in all areas of working - so for the ISMS we wanted to have the whole company in scope and ended up implementing 110 of the 114 security controls from the standard. The reasoning behind this is that it was a high priority from the beginning to include security in everything we do and ensure we did not have any grey zones that could impact the overall ISMS. Also, we highly value our clients and want them to be assured that we do not only have the best product, and we also have security controls and a great security culture throughout the company to support it. I am so proud of the entire team and it is a big milestone for the company to now be ISO27001 certified. 

Key takeaways from this experience 

Security has been a central part from the beginning, and what this has resulted in is a fantastic security culture that is being well maintained. By implementing an ISMS for a startup company, you have to assess every single control from the standard to evaluate how to implement it - and you really see the reasoning behind why the control is there. Compared to doing something just because you are told to, we got to see the controls from another perspective that allowed us to understand the reasoning behind which again gives more understanding and awareness to why it had to be done increasing the likelihood of compliance. 

By implementing all the controls from scratch we had the opportunity to be creative, research and find the best practises for how to implement them. As a result, the implemented security controls are of great quality and highly relevant for the industry as it is today.