Anatomap enlists Digital Octopii to navigate ISO 27001 and BS 10008 certification in just 5 weeks
Stage 1 & 2 audits passed
Certified in 5 weeks
587 risks identified and treated
Complete documentation set for both standards condensed into 20 easy to maintain documents
About Anatomap and their innovative Injury Capture app
Multinational tech startup, Anatomap, are revolutionising the way police forces record injuries suffered as a result of violent crime with their new app Injury Capture. The innovative application allows victims, witnesses, police, medical and legal professionals to quickly and accurately upload forensic evidence in one place which is then generated into compliant witness statements that can be used at interview stage and throughout the court process.
Having run a successful forensic science company for over 10 years, CEO and Founder of Anatomap, Simon Franc, explains the challenges the defence, prosecution and other government agencies face in the forensic science space. “Often, obtaining evidence upfront — that is before the police hold interviews with suspects — is difficult.
There are many parties involved and it can be hard for police forces to coordinate that process and gather evidence quickly, especially when they need to attend to every call for evidence. The lack of information in the early stages results in less early guilty pleas and increased economic and social costs of injuries suffered from violent crime which today amounts to £15.5 billion, a staggering third of the total cost of crime.”
The cutting-edge Injury Capture app aims to speed up the lifecycle of gathering forensic evidence by digitising the entire process to allow all parties involved to upload their own evidence, enabling the police to gain quicker retrieval of information and decrease the risk of lost information and duplication of tasks.
The business objective: obtaining ISO 27001 and BS 10008 certification to meet clients' requirements
The nature of collecting, storing and using sensitive data requires stringent processes, policies and procedures in place to ensure information security. ISO 27001 preserves the confidentiality, integrity and availability of information by applying a risk management process and is paramount for Anatomap. As the electronic information they gather is also used as legal evidence in court, the BS 10008 standard (evidential weight and legal admissibility of electronic information) is also applicable to the business.
“When we were in the process of developing the app, we spoke to a number of police forces (our target market) who fed back that technology of this kind would need to certify with ISO 27001 and BS 10008. This was the key driver for us to achieve certification,” explains Simon.
Simon added, “The police have been burnt by technology before. Since forces have not had a cohesive approach to the adoption of technology solutions at national level, including that of cloud services and connected apps, often they find themselves working with technology that is not fit for purpose, resulting in electronic information that has not held up in court. This is why we decided to certify with ISO 27001 and BS 10008 before even bringing any customers on board.”
The challenge: Navigating the certification process
While Simon and Chief Technology Officer, Jorge Galrito, understood the risks to information security within their business, they knew achieving both ISO 27001 and BS 10008 certification at once was no mean feat, and was a full time job in itself.
That’s why they decided to hire an external consultant to help them assess the risks as well as ensure they had all the correct documentation in place for the audit carried out by the external UKAS accredited body, British Standards Institute (BSI Assurance UK Ltd).
The solution: Bring Digital Octopii on board to achieve certification
Anatomap chose Digital Octopii to help them certify with ISO 27001 and BS 10008 for three main reasons.
Determining the objectives and scope
Anatomap, with the assistance of Elisabeth Belisle, Associate Consultant of BSI and Managing Director of Digital Octopii, started by outlining the objectives and scope of the implementation. Together they ensured everyone involved knew what they were trying to achieve in certifying.
As part of this phase, they considered their business processes and created high level process maps to understand where the information they wanted to protect was held, in which systems and networks it resided, who was responsible for it and who had access to it.
Assets and risks
Anatomap then went on to make an inventory of their information assets (e.g. hardware, software, databases, cloud services, supplier and partner relationships, personnel involved). At this stage, they decided to reduce the number of suppliers they had to increase security, including creating a policy to ensure every key supplier had ISO 27001 certification.
Elisabeth then proposed an asset-threat-vulnerability approach to identify and score risks, using the inventory of assets as a starting point. For each category of assets, the threats (theft, human error, malware etc) to those assets; and their vulnerabilities (e.g. lack of relevant employee security training) were considered and scored accordingly.
Once risks had been identified, a risk treatment was decided, whereby Anatomap changed the likelihood of a risk occurring and/or changed the severity of the consequences if it were to occur. In both cases, this was done through a ‘control’. ISO 27001 proposes a list of 114 controls, each of which must be considered, and their inclusion/exclusion justified. This list helped the business form their Statement of Applicability.
The structure of the ISMS - policies and procedures
Once these exercises had been completed, Simon and Jorge had a very clear understanding of what an information security management system was, what ISO 27001 and BS 10008 was all about and how those standards applied to their business in a practical and pragmatic way. At that point they were ready to assemble their documentation — that being their written policies and procedures describing how they would operate their ISMS.
Anatomap were very clear they didn’t want to create a mountain of documentation and were keen for the ISMS to be documented in as few documents as possible and integrate with their existing Azure DevOps tenancy. With the help of Elisabeth, Simon and Jorge produced a compact, interrelated documentation set of only 20 documents to cover both standards within the Azure DevOps git wiki and using their existing board to manage their ISMS.
At the same time, they implemented their technical risk mitigating solutions.
An example of where Anatomap implemented a new technical solution was around their Bring Your Own Device (BYOD) policy. Whilst it is advantageous for employees to use personal devices to carry out work in some ways, this policy also presented risks to information security, mainly around malware and loss of devices. After recognising just how many associated risks there were in relation to BYOD thanks to Elisabeth’s risk framework, Simon and Jorge decided to implement Microsoft Intune which allows them to delete data from the device should it be wiped or a gross misconduct incident take place, for example. This solution has decreased the associated risk level from amber to green.
The results: Stage 1 & 2 audits passed for both ISO 27001 and BS 10008
The collaboration between Anatomap and Digital Octopii resulted in the business achieving stage 1 certification in just 5 weeks with only 1 minor conformity which was actioned in 24 hours.
“The speed at which we were able to achieve our stage 1 audit was undeniably impressive. Digital Octopii’s availability played a huge part in this. Implementing these standards is very much a step–by–step process and Elisabeth was always on hand to review our work and move us onto the next step quickly and efficiently,” said Simon.
With their documentation now in place, Anatomap complies with ISO 27001 and BS 10008. They have also taken the necessary steps to operate their ISMS by implementing the audit plan, with the help of Digital Octopii, to manage the risks and issues arising.
“Regular internal audits, measurements (e.g. key performance indicators) and monitoring is always required to verify if the policies and procedures are indeed managing risks, if people are following them and if technology solutions are working. We have helped Anatomap navigate this phase in preparation for their stage 2 audit, which they have now passed with flying colours. They now have peace of mind that all risks to their information are considered and being managed successfully, said Elisabeth.”
No matter what phase your ISO 27001 ISMS or BS 10008 project is in, we can support you.
As Associate Consultants of the British Standards Institute, we are recognised experts in this field. We will help you become compliant to one of the above standards; whether you want to obtain certification by BSI or another UKAS accredited body – or whether you just want to improve your current practices.
Not sure which standard is best for you or where to start?