The People's Postcode Lottery received ISO 27001 certification last month, SC spoke to John Young, IT security manager at the charity scheme about what it means for the organisation and the good causes players support.
Roi Perez: What does ISO 27001 certification mean for the People's Postcode Lottery? Why did you need it?
John Young: We're absolutely delighted with the news that we've received ISO Certification. People's Postcode Lottery has always taken security very seriously, and while using best-in-class industry equipment, it was our focus after implementing technical controls to somehow have these certified. As we abide by the Remote Technical Standards set by the Gambling Commission, a small subset of the ISO standard, we wished to exceed these requirements and attain the full certification.
RP: What steps did you take to become certified? What were some of the hurdles/problems, if any?
JY: Having undertaken PCI-DSS standards and implementing over 200 mandated controls from a technical perspective, mapping these to ISO 27001 allowed us to leverage some of the great work our technical team provide.
Our technical staff are driven to keep costs low allowing even more money to be raised for charities, - as a previous head of IT with the Scottish Wildlife Trust, ensuring maximum value for good causes is something very important to me. Along with a team of engineers, I was privileged to lead on these technical controls and deploy them over time. I also remained hands-on, often until late in the evening - 3am finishes were not uncommon! You have to love what you do, and being a part of an organisation like People's Postcode Lottery, seeing the amazing difference that our players make in the world is a real motivation. For me, achieving ISO 27001 was about validating the technical work we had already implemented and improving upon it. It was also a great opportunity for us to align people and processes in other areas of the business.
RP: What's the impact for PPL players?
JY: Our players take comfort in knowing that all of our systems were in scope and fully certified by PricewaterhouseCoopers. Many companies take several years to achieve this, with some being certified to a much smaller scope in the beginning. Our team was determined to ensure that all of our controls were audited to safeguard our players and we took great comfort in that.
RP: Whose responsibility was it to live up to the certification for PPL?
JY: As IT Security Manager and previously IT Operations Manager, it was always in my mind to have ourselves certified against standards when I joined more than four years ago. I had come from a mobile gaming company with its own version of an App Store and we were PCI certified there. It has always made sense to me to align with best practice standards.
RP: What measures does PPL take to protect data?
JY: There are hundreds of mandated and tested controls that we operate and monitor, always learning and adapting to new threats as they present themselves. When companies talk of a breach, an unfortunate but all too regular occurrence, protecting data is everyone's job. Awareness training for all our staff is something that we dedicate time to, crafting our courses to key learnings and any new potential threats.
RP: As a fundraiser, what does ISO certification mean for your organisation and the charities that your players support?
JY: Some of our direct beneficiaries are showing great interest in our ISO 27001 certification and may look to become certified themselves too. A good way to get into the ‘data-security mindset' as a smaller organisation is to start with a Cyber Essentials certification (which PPL attained around the same time as ISO).
RP: Do you have plans to become certified under any other standards?
JY: Definitely. We are always looking into certification in other disciplines, but also to align to recognised international standards across the whole organisation. While we already have very vigorous processes in place, we may look to align other standards such as 22301 Business Continuity, 9001 Quality, 22000 Service Management, 37001 Anti Bribery, 26000 CSR and 31000 Risk.
RP: Why did you choose this certification above others?
JY: We had been working to the PCI control framework previously, as this aligned to our legal obligation, if not exceeded it, with the Gambling Commission. It was never a check box exercise for People's Postcode Lottery either – we're a business that signs up to continual improvement and be the very best we can be.
RP: Did you consider any others? Why is this a superior standard?
JY: ISO 27001 certification provides a common language and if we look around the industry today, it's the gold standard on information security. Many businesses either have it already or are trying to attain it as many suppliers may not be able to accept the risk of doing business with companies that don't hold the certification. With GDPR around the corner ensuring that business assets are protected and done in a considered way must be a priority for businesses globally.
Jo Bucci, managing director and John Young, IT security manager at People's Postcode Lottery are presented with ISO 27001 certification by Suzanne Keijl, statutory director, PwC