Overview

Overview

The Need
Blendr.io, an information
technology organisation
that provides iPaaS
(integration Platform as a
Service) for SaaS (Software
as a Service) companies,
wanted to certify to ISO/
IEC 27001:2013 to benefit
from the Standard’s best
practice and reassure
clients that it was
meeting an internationally
recognised standard of
information security.

The Solution
ISO 27001 FastTrack 20
consultancy.

The Benefit
An ISMS (information
Case study Blendr.io security management
system) certified to ISO
27001 is recognised
around the world as
Blendr.io case study: ISO 27001 FastTrack 20 an indication that
consultancy with IT Governance an organisation has
implemented and
maintains information
security best practice.

Background
Blendr.io provides a powerful, hyper-scalable and secure integration
platform for SaaS companies. Its Blend Editor software allows
organisations to build secure and powerful native integrations quickly
and seamlessly.

As an organisation that depends on processing customer data, it is particularly important for Blendr.
io to be able to demonstrate that its systems are as secure as possible and follow internationally
recognised best practice.

The company therefore sought to align its existing security processes with international best practice
by implementing an ISMS that conforms to the international standard for information security
management, ISO/IEC 27001:2013 (ISO 27001), and achieving certification to the Standard.

Recognising IT Governance as an expert in ISMS implementation, Blendr.io opted for our ISO 27001
FastTrack 20 consultancy service, a fixed-price package designed to help smaller organisations reach
ISO 27001 certification readiness in just three months.

01
How the ISO 27001 FastTrack
20 consultancy service helped
Blendr.io
Requirements
Blendr.io wanted to obtain certification to
ISO 27001 both to provide reassurance to
its existing clients and to use as a selling
point when attracting new ones.
Testimonial
“IT Governance provided us with excellent
training and guidance in developing our
ISMS. Their responsiveness and wealth of
knowledge about ISO 27001 helped us achieve
certification in record time.”
Jochen Boeykens
Executive Board Member and CFO
Blendr.io

The Standard sets out the specifications

for an ISMS – a risk-based approach to
security comprising policies, procedures,
guidelines, and associated resources and
activities that, collectively managed by an The process
organisation, protect its critical information
assets.
IT Governance carried out a risk assessment
and a detailed review of Blendr.io’s existing
Implementing an ISMS enables an
controls against ISO 27001 to determine
organisation to secure its information in
where compliance gaps lay, identify processes
all forms, increase its resilience to cyber
that should be brought into line with the
attacks, and, because it is based on regular
Standard’s requirements, and establish the
risk assessments, adapt to evolving security
controls that needed to be implemented.
threats while reducing the costs associated
with information security.
We also reviewed Blendr.io’s policies and
procedures, and provided policy and
Annex A of the Standard contains a
procedure documentation where necessary.
comprehensive list of 114 security controls
We then conducted an internal audit and
and control objectives, which are typically
provided information about areas that needed
selected and implemented as part of a
addressing before the certification body’s
formally defined risk management process.
external audit.
Independently audited certification to
The service followed our proven methodology
ISO 27001 is recognised around the world
for implementing an ISMS:
as an indication that an organisation has
implemented and maintains information
security best practice. As such, certification 1. Project mandate
removes the need for individual security 2. Project initiation
audits when tendering for new contracts. 3. ISMS initiation
4. Management framework
Another advantage of certification is that
it helps demonstrate that the organisation 5. Baseline security criteria
has implemented the “appropriate 6. Risk management
technical and organisational measures” 7. Implementation
required by the EU GDPR (General Data 8. Measure, monitor and review
Protection Regulation).
9. Certification audit

02
Project mandate

The first stage focuses on collating information relating to an organisation’s commitment to proceed with the project
and producing an information security policy that reflects the appropriate objectives for the organisation. This will
define the scope of the ISMS and facilitate the mandated management approval of essential documents.

Project initiation

This stage develops the project’s goals and ensures that both the project and the ISMS succeed in delivering
the objectives. With a project plan and key delivery dates in place, it is easy to keep track of the achievement of
milestones and ensure the project is delivered on time.

ISMS initiation

The third stage involves compiling a list of the requirements of each ISMS process and the tasks required to develop
and implement them. These will relate directly to the principal stages in the project plan and inform the assignment
of tasks required to execute the plan.

Management framework

This stage addresses the critical ISO 27001 requirements relating to organisational context, scope and leadership,
and ensures that the ISMS framework is aligned with and supports the delivery of business objectives.

Baseline security criteria

All organisations have security controls in place to some degree. Ensuring these existing controls meet the
requirements of the relevant legislation, regulations and contracts early in the project can ensure an effective
information security stance.

Risk management

This stage covers the development of a robust information security risk process and identification of appropriate
information security risk treatments and controls. The default approach is an asset-based risk assessment, unless
specifically required otherwise, and results in the risk treatment plan and Statement of Applicability.

Implementation

The implementation phase addresses both management system processes and information security controls to make
sure that the design of the ISMS and operation of its processes are carried out in an appropriate manner.

Our consultant will work with the organisation to develop the necessary documentation based upon a consolidated
workbook that forms the basis for the ISMS. The consultant will also help arrange access to online information
security staff awareness training, which will ensure the organisation meets this specific requirement of the Standard.

Measure, monitor and review

This phase establishes the effectiveness of the ISMS based upon measurable parameters, including ISMS processes
and security controls. Key areas include an internal ISMS audit and management review; the consultant will facilitate
the first management review meeting if desired.

Certification audit

IT Governance will plan, conduct, report and follow up on the necessary internal audit before the certification audit.
We also provide one day’s support during the stage 2 certification audit.

03
The outcome
The certification body, Brand Compliance, assessed Blendr.io to determine the organisation’s
level of conformance to ISO 27001. This included evaluating the ISMS’s capability to ensure
conformity to statutory, regulatory and contractual requirements, to identify potential
opportunities for improvement, and to ensure that applicable controls had been implemented,
based on a risk assessment, and the established information security objectives achieved. IT
Governance helped Blendr.io create and review materials and pass its stage 1 audit. Blendr.io
received its ISO 27001:2013 certificate in September 2020.

ISO 27001 certification audits

Stage 1 Stage 2

If the organisation passes the first stage, the auditor

The auditor will review the organisation’s
documentation to check that the ISMS has been
developed in accordance with the Standard. The
organisation will be expected to present evidence
of all critical aspects of the ISMS, but how much
depends on the certification body’s requirements.
will conduct a more thorough assessment. This will
involve reviewing the actual activities that support
the development of the ISMS. The auditor will
analyse policies and procedures in greater depth,
and review how the ISMS works in practice, with an
on-site investigation. The auditor will also interview
key members of staff to verify that all activities
are undertaken following the specifications of ISO
27001.

The solution
IT Governance’s ISO 27001 FastTrack 20 consultancy is a fixed-price online consultancy package
designed to help small organisations achieve ISO 27001 certification readiness in just three
months.

It suits organisations that already have a basic level of cyber security in place and includes:

• An information security policy, and a project plan that clearly identifies the ISMS scope
and objectives;
• A mandatory information security risk assessment;
• Development of all ISMS documentation, including the information security policy;
• Guidance on the required controls to be implemented based on the risk assessment
outcomes;
• Fundamental security awareness training for staff;
• Facilitation of the first management review meeting;
• An internal ISMS audit before certification;
• One day’s support during the certification audit; and
• Support selecting the right accredited certification body.

04
 Key features

• End-to-end support: You will be assigned a qualified consultant who will undertake all
the key activities of setting up a working ISO 27001 ISMS that reflects your business
objectives and requirements, and is suitably scaled to the size of your organisation.

• Fixed price: No extra costs, no surprises. We will help you implement an ISMS for a one-
off fee.

• Guaranteed certification: If you do not achieve certification, we will meet any and all extra
direct remedial costs necessary to ensure you pass your final certification audit.

Download the service description for more information

05
Why choose IT Governance?
• Our ISO 27001 implementation methodology has been honed over 15 years.
• We are known as the global authority on ISO 27001 – our management team led the
world’s first ISO 27001 certification project (formerly known as BS 7799).
• We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t
need to go anywhere else.
• We guarantee certification (provided you follow our advice!).
• You benefit from real-world practitioner expertise, not just academic knowledge.
• We have trained more than 7,000 professionals on ISO 27001 implementations and audits
worldwide.
• We have helped more than 600 consultancy clients achieve certification to and
compliance with ISO 27001.
• We have a proven and pragmatic approach to assessing compliance with international
standards, no matter the size or nature of your organisation.
• Our pricing and proposals are completely transparent, so you won’t get any surprises.
• We can help small organisations prepare for ISO 27001 certification in three months.

IT Governance Europe is the one-stop shop for cyber security, cyber risk and
privacy management solutions.
Contact us if you require consultancy, books, toolkits, training or software.

t: +353 (0) 1 695 0411

e: servicecentre@itgovernance.eu
w: www.itgovernance.eu

A GRC International Group PLC subsidiary

IT Governance Europe Ltd

Third Floor, The Boyne Tower, Bull Ring, Lagavooren,
Drogheda, Co. Louth, A92 F682, Ireland

@ITGovernanceEU /it-governance-europe-ltd @ITGovernanceEU

06