For over a decade, OCTO Telematics (OCTO) has implemented management systems that follow the requirements of international standards, demonstrating the quality of its products and a rigorous approach to information security. With OCTO continuing to grow globally, an integrated approach to management systems was required. The result is a system that spans information security, privacy, cloud security, business continuity and quality.
Here, we speak to Attilio De Bernardo, CISO at OCTO, about the important role certification plays in building trust and how integration has led to a more robust, efficient approach.
Building Customer Trust
As a global leader in telematics solutions and a data-rich organization, the team at OCTO have always been aware of the need to keep pace with the constantly evolving information security landscape. Third-party audits and information security management system certification help OCTO to demonstrate that it has the processes and procedures in place to protect business critical information and data. This, combined with an ISO 9001 certified quality management system, ensures that customers can trust the quality and security of OCTO products and solutions.
“OCTO began implementing quality and information security management systems over 10 years ago. Since then, and as our business has become increasingly global, we’ve begun to adopt a more progressive and integrated approach that is strongly aligned with business processes,” explains De Bernardo.
"A certified ISMS is a gateway to securing business with important customers"
A Robust Approach to Information Security
The process of implementing and certifying its information security management system (ISMS) to ISO 27001 helped OCTO ensure that controls and management processes were both adequate and proportionate in relation to specific threats and opportunities identified in the risk assessment.
Based on this same business-led approach, OCTO identified the need to certify their system against ISO 27017 which introduces controls around the provision of cloud services and ISO 27018 which covers protecting personally identifiable information (Pii) in the cloud.
“A certified ISMS is a gateway to securing business with important customers. However, it’s also enabled OCTO to take an organic approach to system security, through extending the ISMS to properly manage the threats and opportunities that relate to our business,” says De Bernardo. “One of the reasons we decided to extend our system to cover cloud security and privacy was the implementation of a cloud model for vehicle sharing services.
“As ISO 27017 and ISO 27018 are extensions to the ISO 27001 standard, we were able to maintain a clear alignment and strategic vision throughout.” This highlights a commitment to privacy and supports compliance with laws and regulations such as the GDPR. “We take an evolutionary approach to system security where we integrate extensions that are relevant to our organization. The OCTO business is based on the processing of personal data – so it was a very natural and logical decision to opt for ISO 27701 certification – especially when considering the need to evidence compliance with the GDPR. For OCTO this represents a moment of great awareness regarding best practice processing of personal data.”
Achieving Total Continuity
OCTO’s integrated management system isn’t solely information security focused. It’s also certified against ISO 9001(quality) and ISO 22301 (business continuity) providing assurance that services are of a high quality which can be maintained even in the most unexpected and difficult circumstances. “Prior to certification, OCTO already had a continuity plan. However, the entire executive committee gave a strong mandate to strengthen that plan to face the most unprecedented situations. This was a crucial decision which meant that OCTO had started the ISO 22301 certification process long before the COVID-19 pandemic had an impact. As a result, during the pandemic we were able to guarantee the total continuity of our services in every part of the world.”
"The high-level structure of Annex SL, with its identical basic text, common terms and definitions, facilitated the integration of our management systems"
Driving Efficiency with Integration
Annex SL, the standardized framework used in all ISO standards, makes it easier for organizations like OCTO to implement a multi-faceted system that can then be audited and certified by a third-party body. Integration helps ensure that multiple systems are pushing towards the same organizational goals, however, it also introduces several other efficiencies.
“The high-level structure of Annex SL, with its identical basic text, common terms and definitions, facilitated the integration of our management systems. Through integration, OCTO were able to minimize conflict between individual systems. It also reduced duplication of processes, administration work and general bureaucracy. This ensured a much stronger focus on the needs of the whole business rather than one particular area,” De Bernardo explains.
Going Remote
Initially, many of OCTO’s audits were scheduled to take place at a time when the COVID-19 pandemic was causing significant disruption.
“All OCTO audits were performed remotely by Lloyd’s Register,” De Bernardo recalls. “This helped us to find greater efficiencies in the face of minor problems and despite the context of a global pandemic, the process encouraged cohesion and a greater team spirit. We were also able to reduce the health and safety risk to our people at a crucial time whilst minimizing disruption to daily activities.”
“For OCTO – the future of auditing is likely to be a blended option that uses a mix of remote auditing to optimize the overall process and face-to-face which helps build strong personal relationships. This ensures that our auditors can get a flavor for our business and how it operates.”