A subsidiary of Meridian Energy, Flux Federation has been in business for just over 2 years, providing a software platform that makes it easier for energy retail business to operate and innovate. Based in Wellington and originally developed from Powershop, they currently serve nine energy retailers in 3 different markets globally.
Operating in a very competitive global marketplace, Flux was looking for independent proof to support their robust security practices.
Early on in the process two key challenges were identified. While Flux has always had good security practices, they had gone through several external audits that identified a lack of a documented process. The lack of a formal process meant it was not as easy for Flux to show their clients and customers that they were following a methodical, risk-based approach to securing their platform. This provided an opportunity to back up the good work that they are doing with documented processes.
Along with the opportunity to provide a documented approach to their information security, as a service provider who wants to expand into international markets, Flux needed globally recognised certification to assist with their growth. Fortunately, there is an international, globally recognised, information security standard – ISO/IEC 27001:2013. This standard provides a set of standardised requirements for operating an Information Security Management System (ISMS). Flux recognized that achieving ISO 27001 on their own was going to be a challenge and Axenic were approached to help them through the process and ultimately to achieve certification
We needed to document and prove to our clients, how good the state of our security practices are.BEN AMOR, TECHNOLOGY LEAD, FLUX FEDERATION
We were thrilled to have been able to help Flux with their certification because like them, we beleive it provides the right level of assurance for their existing and future clients, especially during a time when data privacy is so topical.HUSSEIN ELRAKHAWY, SENIOR CONSULTANT, AXENIC
The starting point was defining a formal, repeatable, consistent approach to information security management. Flux needed to take a pragmatic, risk-based approach that also took into account management involvement, insight and endorsement of the practices.
While supporting the established Flux processes, it was identified that ISO27001 certification would provide a very good proof point that their information security practices were meeting the required international standards. As a globally recognised certification that takes a risk-based method, ISO27001 is a high-level approach with sufficient flexibility to tackle the specific information security management challenges an organisation like Flux faces.
In their journey to ISO27001 certification, Axenic helped the Flux team to review and develop documentation to meet the mandatory requirements that were needed to be completed as part of the certification process, as well as the development of several security initiatives. Key in this process was the establishment of the security committee by Axenic.
Along with this Axenic worked with Flux to write and develop an approved information security policy to bring the required documentation approach to their information security processes. This work was combined with a full Risk Assessment, the development of an internal security awareness program and an internal audit including actions on the findings.
In this case, the key success result was achieving ISO27001 certification. The actual time to complete the certification is very much dependent on the status of existing practices and the organisations commitment to the process with between one to two years not being uncommon. In Flux’s case, the high degree of commitment and existing procedures meant they were able to achieve certification in around 12 months. They are now able to provide this certification as proof of their processes and this provides Flux with a framework that helps them to:
- Protect both client and employee information
- Help manage and keep risk exposure to a minimum
- Meet contractual and regulatory obligations e.g. GDPR and the Payment Card Industry Data Security Standard (PCI-DSS)
- Continue to build a culture of security with the organisation
- Brand image protection – both for Flux and their clients
Ultimately, the ability to show existing and potential customers that Flux takes a methodical risk-based approach to secure their platform with ISO27001 certification provides the team with confidence to go after new business knowing that they have a mature information security management system.
Working with Axenic helped turn the huge daunting task of acheiving ISO27001 accreditation into something quite achievableBEN AMOR, TECHNOLOGY LEAD, FLUX FEDERATION