In what has been a rigorous but rewarding journey, we are proud to announce that Matrix CNI has officially achieved ISO/IEC 27001:2022 information security management certification based on the very latest version released in late 2023.
With the certification process behind us, we wanted to share the lessons we've gained throughout the process, recommendations for others considering this path, what this milestone means for our customers and how you can apply our experiences to strengthen your own security practices.
A quick refresher for anyone unfamiliar with ISO 27001
ISO 27001 is a pillar of security compliance – both highly regarded and internationally recognised.
It offers a comprehensive, risk-based framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). During an ISO 27001 audit, an organisation’s ISMS is put through the ropes of the standard’s 18 different parameters, each assessing the soundness of its security practices. While somewhat complex in nature, the process can be boiled down to two complementary components - ensuring the right people and systems have access and then validating that only those users and systems connect to your critical infrastructure.
This goal is to ensure that organisations like ours have the mechanisms in place to systematically manage security along with protecting sensitive information, with a strong focus on confidentiality, integrity, and availability.
Why pursue ISO 27001 certification?
It’s a fitting question, as many organisations choose to use the ISO 27001 framework without seeking full certification. Like those organisations, we could have implemented the framework without becoming certified. However, achieving ISO 27001 certification was a significant milestone for us and one that would deliver value for both us and our customers.
On the one hand, it sharpened our focus on risk management, guiding us in identifying information security risks and implementing the necessary controls to mitigate them. This was particularly important given the stringent ASD-8 requirements and the value of ISO 27001 certification for government contracts and, no doubt, other industries down the road.
But for us, ISO 27001 certification wasn’t just about box-ticking for compliance. It was about validating the trust our customers have placed in us. We knew that by achieving ISO 27001 certification, we could demonstrate our commitment to protecting customer data and our infrastructure while mitigating risks, threats, and bad actors. We could also give customers the confidence that our systems and their data are secure and they wouldn't be impacted if an event were to occur.
What does ISO 27001 certification mean for our customers?
While ISO 27001 delivers compliance for us and our environment, the learnings from our certification process – and the changes we’ve had to make to how we work and our IT systems – will mean security will also be at the core of our clients’ projects, no matter their size. ISO 27001 has helped us to understand and implement a robust framework that includes compliance with local recommendations such as ASD-8, but also aligns with global best practices.
In practical terms, as we manage your ICT infrastructure, you can trust that we will apply the same rigour to continuously improve our security measures and technologies to keep our customers one step ahead of evolving threats. Trust and partnership are core tenets of Matrix CNI.
Perception vs reality on costs
A common fear among businesses is that robust security measures come with exorbitant costs. Our experience shows that while there is always an investment, it’s not as steep as you might expect. Much of our existing infrastructure, particularly within our network (Aruba) and firewall (Palo Alto) technologies, already had the capabilities we needed. In fact, as we progressed through the ISO 27001 certification process, we found that compliance often didn’t necessitate wholesale changes to our security infrastructure at all. Instead, we could refine our existing setup (which always had security at the core of every IT decision) to add strategic functionalities.
One such example is our approach to log management. Previously, ingesting and managing logs was costly. However, by reviewing our cloud-delivered service subscriptions, we could access advanced defensive capabilities with minimal cost uplift. This provided us with enhanced log management and SIEM capabilities—solutions such as Microsoft Sentinel, Splunk, or Palo Alto XSIEM, which may already be available in an organisation’s SASE tools.
What our tech stack looks like now
We've integrated information security directly into all of our ICT projects, ensuring that every solution - regardless of complexity - undergoes rigorous benchmarking. This means that before any internal ICT project is deployed, it is thoroughly evaluated to ensure that security considerations are embedded into the solution from the very beginning.
To put this into perspective, we’ve always maintained a strong focus on network segmentation, which helps to compartmentalise and protect different parts of our network. While dynamic segmentation is overkill for an organisation of our size (like putting a Boeing engine in a Volkswagen), we do utilise both network macro and micro-segmentation.
Perhaps the most notable change for our business, both from a cultural and technological perspective, was Data Classification and linking this to Data Loss Prevention (DLP) solutions. We’ve implemented technologies that not only help prevent data leaks but also ensure that all data is properly categorised, securely handled, and accessible only to those with the right privileges at the right time.
Life after certification, where to next?
Achieving ISO 27001 certification is more than just a badge of honour at Matrix CNI - its underlying approach is woven into our culture and mindset. Security has always been a core focus for us, so reaching this milestone wasn’t as challenging as we expected. Yes, the process is lengthy, but it was also surprisingly straightforward, thanks to the strong foundation we had already built with our technology partners, like Aruba and Palo Alto. Our already deep-rooted commitment to security and our customers made the necessary adjustments more of a refinement than a significant overhaul.
Just because we are now ISO 27001 Certified doesn’t mean we stop thinking about security and its impact on us and our customers. ISO 27001 is also about continuous improvement, allowing Matrix CNI to constantly re-assess its stance, deploy technologies, and adapt to the fast-evolving world of cyber security threats.
ISO 9001:2015 certificate number FS 599316
ISO 27001 certificate number IS 798210