In November 2023, Grant Thornton Baltic was certified with ISO 27001:2022 by Bureau Veritas, confirming that we identify, assess and manage security risks relating to information systems on an ongoing basis and in accordance with the requirements outlined.
As explained by Mati Nõmmiste, Managing Partner at Grant Thornton Baltic: “We are among the first companies in Estonia to be audited on the basis of the new version of the ISO 27001:2022 certificate for information security – the majority of companies have been certified with previous versions dating back to 2013 or 2017.” He pointed out that having the ISO 27001:2022 certificate is important in terms of the provision of auditing, accounting, tax and legal advice, financial advice and support services, since for many clients such certification has become a prerequisite for any cooperation. “Our information security activities were audited by Bureau Veritas for all those services in our Tallinn and Tartu offices, and we are pleased to note that there were no non-compliances,” said Mati Nõmmiste.
The process of applying for the ISO 27001:2022 certificate started in the summer of 2022 with a review and reassessment of the existing information security management system. As explained by Gaily Kuusik, Head of Business Process Solutions and initiator of the project, the Grant Thornton network has its own Information Security Framework (ISF), which must be complied with by all member companies of Grant Thornton. “We were operating primarily on the basis of the requirements of the Grant Thornton network, which are similar to those of the ISO standard in many aspects. However, there was a particular need for the ISO 27001 certificate in response to our clients’ expectations for data protection and information security processes to be certified and verified to the fullest extent. We chose the ISO 27001 information security management system as it is most widely known and recognised in Estonia and worldwide,” said Kuusik, in outlining the background to the decision. Moreover, ISO 27001 will provide independent assurance that the company’s internal risk management processes with regard to information management and information security are up to date and appropriate in identifying and minimising risks, she added.
The ISO 27001 certification project was fully launched in early 2023, when focus was placed on validating existing processes against the ISO standard. “We carried out the internal audit in the summer, and Bureau Veritas audited us in September and October. In November, we received the certificate verifying that our information security is up to date, transparent and of high quality,” said Kuusik.
Artti Aston, member of the working group, added that documenting and describing IT in conformity with the ISO certificate contributed to the assessment and management of the structure and design of the IT systems. “This will help us to methodically manage developments and modifications in compliance with the requirements of information security,” he affirmed.
Belinda Borodin, Head of Information Security at Grant Thornton Baltic, said that she was delighted to be involved in the project. “On the one hand, it was exciting to describe and review the processes, while on the other hand, I was happy that the auditors found our in-house information security to be in good order, and the certificate was confirmation of a job well done,” she said. “However, the job is far from complete, because, as also stipulated by the ISO standard, we will have to consistently keep developing our processes and improving security.”
The project of implementing ISO 27001:2022 in Grant Thornton Baltic was carried out by Terje Liiv (project manager), Gaily Kuusik (member of the working group and initiator of the project), Belinda Borodin and Artti Aston (members of the working group).
ISO 27001:2022 certificate confirms that we identify, assess and manage security risks relating to information systems on an ongoing basis and in accordance with the requirements outlined.
