The voice of security: top voice biometric specialist secures ISO27001 re-certification
This case study shows how IT Governance helped VoiceVault achieve ISO 27001 re-certification.
VoiceVault is a specialist industry leader in the provision of voice-based biometric identity verification solutions and services (see below). With operations in the United States and the United Kingdom, the company has a global customer base of public and private organizations, such as government agencies, financial institutions and healthcare companies. Keeping information secure is at the heart of their business, so they know the value of information security and how a robust Information Security Management System (ISMS) and certification to ISO27001 can demonstrate this to their clients.
Download the full case study for free now.
Although VoiceVault is in the business of information security technology, it is not a specialist in ISO 27001. Having already been through the certification process, they knew how much work it could potentially involve in a relatively tight timescale. An external agency that could lead the project with minimal interruption to business as usual was called for and IT Governance fit that profile neatly.
Biometrics are automated methods of recognizing a person based on a measurable physiological, anatomical, or behavioural characteristic. They are now seeing wide adoption as technology matures and new methods of securing systems becomes increasingly important.
VoiceVault is an industry leader in voice biometrics, with a rapidly growing global customer base and specialist partners such as Angel in the US and DataPoint in the UK. VoiceVault provides a more convenient, practical and secure alternative to PINs, passwords, or security tokens. As well as verifying an individual’s identity over the phone or the Internet, VoiceVault can be employed across a diverse range of business applications, including procurement, payment authorization and corporate security.
As you might expect from a company so heavily focused on security, they are aware of its implications and are keen to demonstrate the company’s commitment to industry best practice. As a result, they achieved BS7799 certification in 2001, managing to maintain their certification through the transition to ISO27001 in 2007.
In addition to maintaining their certificate, VoiceVault also recognises the perceptual and intrinsic value of properly implemented and audited safeguards. ‘Having ISO certification is important to us for two reasons’, said Operations Manager, Andrew Saunders. ‘First, it gives our customers and prospects confidence that when they entrust us with their information, that we, as an organisation, have been independently assessed to be able to keep that information safe. Secondly, the ISMS is simply good practice for a business like ours, it provides an effective framework for running an organisation well.’
During 2008/09, VoiceVault went through a substantial organisational change. A strategic decision was made to relocate their head office from Dublin to Reading and co-locate their hosting platform in two separate data centres in the UK and US, ensuring maximum resilience and redundancy for their global customer base. Realising the impact on security, and to their existing ISO27001 certificate, VoiceVault engaged IT Governance to initially review their existing ISMS framework in readiness for a scheduled surveillance visit.
It was evident from the review that the original ISMS would be insufficient for the needs of the new business structure and would therefore not ensure re-certification. IT Governance was then tasked with implementing the new ISMS ready for re-certification in April 2010, and also to make sure the surveillance visit in November went well.
A physical site move would usually have meant the company would need to submit a complete re-assessment for ISO 27001 certification. However, as the move was scheduled to take place gradually over several months, and the heart of the business and scope was still in Ireland at the time of the scheduled surveillance visit, this was completed against the original scope.
IT Governance was engaged as a partner for VoiceVault to ensure that the new scope met the requirements of the business to reflect not only changes to the company but also changes to legislation and contractual obligations.
In addition to redefining the scope, IT Governance completed a new risk assessment, provided staff awareness training, and helped VoiceVault develop ISMS documentation in order to meet the requirements for re-certification in April 2010. IT Governance then worked with VoiceVault to drive the ISMS project forward, allowing VoiceVault to focus on the relocation and yet retain ownership its security arrangements.
VoiceVault successfully completed its reassessment audit in April 2010. INAB-(Irish National Accreditation Board) accredited certification body, Certification Europe, conducted their audit.
"VoiceVault and IT Governance successfully navigated a number of challenges," said Michael Brophy, CEO of Certification Europe. "Not only was the ISO system undergoing reassessment, but it was at a time when there was a significant changeover of staff, a change of premise and a new release of the core technology. Any one of these issues would normally pose a challenge, but having them all come together really tested the ISMS. Our auditors wanted to ensure that, with the change of personnel, there was still a genuine awareness and ownership of the system within VoiceVault. We also wanted to make sure that, with new staff coming on board, information security was still treated as a priority, particularly with all the competing issues."
‘"he partnership between IT Governance and VoiceVault was obviously a success, as within a very short time, VoiceVault was able to demonstrate compliance with all the relevant controls in ISO27001."
Michael Brophy, CEO of Certification Europe
As VoiceVault experienced, for an ISMS to function well it needs to be maintained. Among other things, corrective and preventive actions need to be taken, documents updated, risks reviewed, and regular internal audits completed.
IT Governance lead consultant Yvonne Sears said, "Responsibility for parts of the ISMS throughout the company needs to be delegated to ensure buy-in and that responsibilities are understood, particularly around policies and procedures." She recommended that regular meetings be conducted to report on the effectiveness of the ISMS and controls to senior management, saying, "This will emphasize the need for ISO 27001 and hopefully, retain senior-level and commitment buy-in!" Unsurprisingly, she is all for a dedicated resource, whether internal or external, to effectively maintain the ISMS.
When asked what was next for VoiceVault and IT Governance, Andrew Saunders replied: "We hope to have a long-term relationship with IT Governance. We recognize they have the core competency of running an ISMS and we think this will augment our own skills as well."