Cyber security: Why Herron Todd White looked to ISO 27001 to help reassure customers

The national property valuation firm says growing customer awareness of data security issues propelled its effort to achieve ISO/IEC 27001 certification

it security lock cybersecurity breach alignment
ChakisAtelier / Getty Images

Implementing an information security management system (ISMS) is at the heart of the ISO/IEC 27001 standard, but a key challenge to successfully achieving certification is staff communication and engagement, according to Mat Cantarella.

Cantarella is the IT operations manager at Herron Todd White and led the Australian property valuation firm’s project to achieve ISO 27001 certification.

Achieving certification is something that the business had been examining for a number of years, Cantarella told Computerworld.

“We’ve seen in recent times that that the appetite has really changed around information security with our clients; the landscape has shifted a lot,” he said. “People are really interested in what you're doing with their data, in how you're protecting it.”

Cantarella said that the firm had actually been complying with the security controls required by ISO 27001 for the better part of three years.

The IT ops manager explained: “We've used the standard to really ensure that all the in-house development and the different services that we build are compliant. However, in the last 12 months, we've seen that it would be beneficial to be able to go to our clients and say, ‘We have been audited, we can prove that we're doing these things and we're taking your data security seriously.’”

In 2019 ASX-listed property valuation firm Landmark White was rocked by two data breaches. The first breach involved hundreds of thousands documents including property valuation details and some personal information relating to borrowers, lenders, homeowners and residents, with data being posted to a darkweb forum.

The breach cost the LMW millions of dollars in lost revenue after major clients temporarily suspended use of its services and led to the departure of the company’s CEO. The company suffered a second, significantly smaller breach later in 2019, with some internal documents being posted to a Scribd.

In October NSW Police announced that an IT contractor had been charged with 15 offences relating to the “unauthorised access to the main database and document store” of LMW.

LMW announced a significant investment in augmenting its security, including achieving ISO 27001 certification.

Cantarella acknowledged that the LMW breaches had had an impact on the expectations of customers seeking property valuation services, although the focus on information security in the sector has been growing for a number of years.

“We quite regularly are sent information security and data privacy assessments from our clients,” he said. “They essentially ask us anywhere from 150 to 200 questions around what we do, both from a data point of view but also in our tech builds; they want to know a lot around our processes. We found that that was quite closely aligned to the ISO standards.”

Herron Todd White is one of the largest property valuers in Australia, assessing more than 1200 homes every day. Kerry Herron launched the firm in 1968 with a single-room office under a house in Rockhampton, but since then it has expanded to more than 64 locations around Australia, and it has more than 800 staff.

Unlike some of its competitors that delve into other property-related or financial services, the company concentrates on valuation and some advisory services.

For the most part its customers are Australia’s large banks, with Herron Todd White providing a valuation if a bank’s customer is purchasing a home or seeking to re-mortgage a property. Although the vast majority of clients are financial institutions, the company also conducts some work for government as well as private valuations for individuals.

Cantarella said the company had decided to “get on the front foot” and in April 2019 began the ISO 27001 certification process through an engagement with SAI Global. Certification was achieved on December 16.

“We set ourselves a goal as a team last year to gain certification in 2019,” Cantarella said. “We felt that it would actually become an expectation and potentially a contractual issue from 2020 onwards. That's yet to actually be the case, but we wanted to try and get ahead of that and get certification last year.”

Herron Todd White engaged a consultant to help it navigate the process. “The certification’s really around your information security management system,” Cantarella said. “It's essentially a catalogue of everything that you do around your product builds and your data storage.”

The ISO standard states that the ISMS “preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.”

“We kicked off April/May in terms of building out that that management system,” Cantarella said.

Certification bodies such as SAI Global conduct two audits to assess compliance with ISO 27001.

“Once you build that system up — it’s essentially all your policies, your technical controls you have in place to make sure that you're doing everything by the standard — SAI Global comes out and does an initial audit,” Cantarella  said.

That stage one audit was conducted in October.

“They look at all your documentation, all your policies, your framework,” Cantarella said. “They essentially then make an assessment as to whether or not you're ready for certification. We were lucky enough that that the auditor was quite impressed with what we had in place at that point, and then they recommended a second-stage audit which we sat in December to gain certification.”

The second audit is “far more onerous,” he said. “It's them going through a lot of your controls and then asking for some actual evidence and interviewing people within the business to ensure you're following them.”

Ahead of kicking-off the effort to achieve certification Cantarella said that although most of the controls covered by the standard were already in place, some were not fully documented or linked to a particular risk.

“The standard is very heavily built around your own risk appetite around information security - so what kind of data that you're storing and what risk levels are acceptable to you and to your clients,” Cantarella said.

“Even though for the most part we were doing the vast majority of these things for a number of years, in some cases we had to build in actual official controls or policies to support that and then roll them out.”

Cantarella said that how the technology team communicated about the certification process with other employees was a key factor in the project's success.

“We're a business of over 850 employees; we have 50 sites around the country,” he said. “We have a lot of staff using our in-house software and touching our data.”

The biggest challenge is “really around educating staff”: “When you write a control or you write a policy document, quite often they can be very wordy and sometimes quite technical. One of the things we really worked hard to do was to actually put it into layman's terms — so we weren't just writing policy for the sake of it. That was probably the biggest challenge and something that the team had to work quite hard at.”

The overall cost of the project ran into the “hundreds of thousands,” Cantarella said. The certification will last for three years, with SAI Global conducting annual audits to ensure that staff are complying with the security controls covered by the standard.


Copyright © 2020 IDG Communications, Inc.

Shop Tech Products at Amazon