• Blog
  • Implementing an ISMS at a conversational AI scale-up

Implementing an ISMS at a conversational AI scale-up

Last updated 23 April 2024
Product

Learn about boost.ai's path to ISO 27001 certification and our strong commitment to security.

Boost.ai’s commitment to security and privacy has been unwavering since its inception in 2016. The leadership team recognized early on that robust compliance was essential for standing out and thriving in a competitive market.

This understanding drove the initiative to pursue ISO 27001 certification, a milestone officially attained in May 2021.

ISO 27001 emphasizes the establishment of an Information Security Management System (ISMS), essentially a compilation of policies, processes, procedures, and measures designed to address security risks. An ISMS aims to ensure business continuity by minimizing risks to information assets and reducing the impacts of security breaches. It provides a systematic methodology for managing an organization's information security through a centrally managed framework which facilitates the management, monitoring, review, and enhancement of information security controls.

An ISMS is crucial for safeguarding information in all its forms, implementing measures to shield against unauthorized access, use, modification, and destruction of information.

Laying the groundwork in a fast-growing company

Implementing an ISMS in a rapidly scaling company like boost.ai was no easy feat. The initial step involved identifying the existing processes and policies, and understanding how they interlinked.

Meetings with various teams within the company helped shed light on the current operations. During these discussions, post-it notes were used to visually map out processes and connections. Given the nascent stage of the company, no fixed processes were in place and roles were continually evolving to keep pace with the rapid growth. The aim was always to operate optimally, learning and adapting along the way, which often meant weekly modifications to processes. As more individuals joined the team, roles became more specialized, routines were established, and the company began maturing into a more structured entity. Identifying processes to build the ISMS upon was a challenge due to these rapid changes, but it was a necessary endeavor to meet the stringent security requirements of our clients and to align with the ISMS objectives.

Rock-solid security from the ground up

With a more structured company framework, the need arose for logical documentation storage and standard security control mapping against identified risks. Although several system suppliers were reviewed, none seemed to fit the bill, and replacing existing systems was not an option. Hence, the idea to develop an in-house setup emerged. This led to the creation of a company Intranet for document storage and reference, along with a system for mapping security controls and risks, detailing implementation methods, relevant documentation, identified risks, and objective measurements to validate compliance to each security control.

boost.ai achieved ISO27001 certification in May 2021

Being an ambitious entity, boost.ai aimed to encompass the entire company within the ISMS scope, implementing 110 of the 114 security controls from the standard. This decision stemmed from the high priority placed on embedding security in every aspect of operations to avoid any grey zones that could affect the overall ISMS. Client assurance is highly valued, and the aim is to provide not just an exceptional product but also robust security controls and a stellar security culture throughout the company. Achieving ISO27001 certification is a significant milestone and a testament to the hard work and dedication of the entire team.

Key takeaways from this experience

Security has been a core focus from the outset, fostering a remarkable security culture that continues to thrive. Implementing an ISMS in a startup requires a meticulous evaluation of every control from the standard, offering a deeper understanding of the rationale behind each control, which in turn enhances compliance awareness.

Starting from scratch allowed for a creative approach to research and discover best practices for implementing the controls. Consequently, the security controls in place are of high quality and highly relevant to the industry’s current landscape.