Introduction
9 Story Media Group, along with its animation studio Brown Bag Films, operates with facilities in Toronto, New York, Dublin and Bali. With over 1,000+ creative and corporate staff worldwide, clients include Disney, Netflix, Amazon Studios, Apple TV+, Nickelodeon, BBC and many more. 9 Story Media Group and Brown Bag Films boast a combined tally of two Oscar nominations, nineteen Emmy wins, ten BAFTA nominations, as well as numerous other accolades for their content production and distribution.
Opportunity
9 Story Media Group and Brown Bag Films embarked on the ISO 27001 certification journey to address various security challenges and capitalise on key business and operational opportunities. An initial security assessment had unveiled vulnerabilities that needed immediate attention, compelling the company to prioritise security enhancements. As the company expanded rapidly, the need for standardised security practices became evident.
ISO certification was the answer to client demands for assurance regarding data security and privacy practices. ISO 27001’s global recognition drove the company’s desire to operate more efficiently for its international clients and partners. ISO 27001 also offered a structured approach to regulatory compliance, critical in light of evolving data protection regulations. Ultimately, gaining and maintaining ISO certification would effectively mitigate risks for a company with diverse operations, setting a security framework, competitiveness and global recognition.
Approach
The path to ISO certification was marked by strategic planning and collaboration. Prior to commencing the certification process, the company conducted a comprehensive security assessment in order to help uncover areas for improvement that required prompt attention.
Work on implementing an Information Security Management System (ISMS) initiated following the appointment of a consultant, Brian Honan from BH Consulting, to support them in the preparation and implementation of their ISMS in Dublin, to begin with. The company’s preparations included aligning the ISMS with ISO 27001 requirements, encompassing the documentation of policies, procedures, risk assessments and the implementation of security controls.
Upon completing the necessary preparations, 9 Story Media Group engaged with Amtivo, formerly Certification Europe, following a recommendation from Brian Honan, having heard about their expertise and professional approach to certification services. The company was pleased with the communication and level of interaction and support from Amtivo to schedule their assessments to suit their timelines and underwent a Stage 1 Assessment to assess its readiness for certification in March 2017. Feedback and recommendations were provided during this stage via an Assessment Report from the assigned expert Lead Assessor.
Subsequently, a thorough Stage 2 Assessment was conducted, during which the ISMS was comprehensively reviewed for compliance with ISO 27001 standard. Any findings were addressed and corrective actions were implemented via another Assessment Report. The successful completion of the Stage 2 Assessment led to the award of ISO 27001 certification by Amtivo. The entire certification process took approximately eleven months from initial engagement with Amtivo to certification, to fit with the timelines required by the team at 9 Story Media Group.
Post-certification, the company remains committed to sustaining and enhancing its ISMS through continuous monitoring, internal audits and a dedication to ongoing improvement to ensure enduring compliance with ISO 27001 standards through their certification cycle and Surveillance Assessments with Amtivo. 9 Story Media Group also expanded the scope of their ISO 27001 certification with Amtivo to cover their offices and operations in both New York and Toronto in mid-2023.
Outcome
The ISO certification process triggered initial changes which were met with some internal adaptation challenges within the organisation. However, these changes ultimately led to improved operational efficiency, with employees beginning to embrace them and resulting in smoother operations. The controls implemented as part of ISO certification played a pivotal role in preventing near misses from escalating into major incidents, thereby enhancing the organisation’s overall security posture.
One of the most prominent benefits was the streamlined client onboarding process. ISO certification provided a competitive edge, signifying a commitment to information security and international standards compliance, which resonated positively with clients, partners and stakeholders.
The certification process encouraged a proactive risk management approach, leading to the identification and mitigation of potential vulnerabilities and threats, effectively safeguarding data and information assets. Clients and stakeholders developed increased trust and confidence in the organisation’s information security practices, reducing the need for extensive questionnaires and audits to secure contracts, the simple “stamp of approval” that ISO 27001 certification brings with it was more than enough. ISO certification made the organisation eligible for business opportunities with larger clients, particularly those with stringent security requirements, thereby expanding their clients and reach.
