Kulpa enlists Digital Octopii to navigate ISO 27001 and BS 10008 certification in just 5 weeks

Simon Franc

CEO at Kulpa

Jorge Galrito

CTO at Kulpa

Learn more about how Digital Octopii helped tech start up, Kulpa, certify for ISO 27001 and BS 10008 in just 5 weeks using their tried and tested framework. 

Stage 1 & 2 audits passed

Certified in 5 weeks

587 risks identified and treated 

Complete documentation set for both standards condensed into 20 easy to maintain documents

About Kulpa and their innovative Kulpa Cloud app

Multinational tech startup, Kulpa (formerly Anatomap), are revolutionising the way police forces record injuries suffered as a result of violent crime with their new app Kulpa Cloud. The innovative application allows victims, witnesses, police, medical and legal professionals to quickly and accurately upload forensic evidence in one place which is then generated into compliant witness statements that can be used at interview stage and throughout the court process. 

Having run a successful forensic science company for over 10 years, CEO and Founder of Kulpa, Simon Franc, explains the challenges the defence, prosecution and other government agencies face in the forensic science space. ‚ÄúOften, obtaining evidence upfront ‚ÄĒ that is before the police hold interviews with suspects ‚ÄĒ is difficult.

There are many parties involved¬†and¬†it can be hard for police forces to coordinate that process and gather evidence quickly, especially when they need to attend to every call for evidence. The lack of information in the early stages results in less¬†early¬†guilty pleas and increased economic and social costs of injuries suffered from violent crime which today amounts to ¬£15.5 billion, a staggering third of the total cost of crime.‚Ä̬†

The cutting-edge Kulpa Cloud app aims to speed up the lifecycle of gathering forensic evidence by digitising the entire process to allow all parties involved to upload their own evidence, enabling the police to gain quicker retrieval of information and decrease the risk of lost information and duplication of tasks. 

Advisor standing at flipchart showing colleagues the impact of suppliers not being controlled properly

The business objective: obtaining ISO 27001 and BS 10008 certification to meet clients' requirements

With the help of Digital Octopii, this digitally native business have implemented an Information Security Management System (ISMS) and have now achieved ISO 27001 and BS 10008 certification.  

The nature of collecting, storing and using sensitive data requires stringent processes, policies and procedures in place to ensure information security. ISO 27001 preserves the confidentiality, integrity and availability of information by applying a risk management process and is paramount for Kulpa. As the electronic information they gather is also used as legal evidence in court, the BS 10008 standard (evidential weight and legal admissibility of electronic information) is also applicable to the business.  

‚ÄúWhen we were in the process of developing the app, we spoke to a number of police forces (our target market) who fed back that technology of this kind would need to certify with ISO 27001 and BS 10008. This was the key driver for us to achieve certification,‚ÄĚ explains Simon.¬†

Simon added, ‚ÄúThe police have been burnt by technology before. Since forces¬†have not¬†had a cohesive approach to the adoption¬†of¬†technology solutions at national level, including that of cloud services and connected apps, often they find themselves working with technology that is not fit for purpose, resulting in electronic information that has not held up in court. This is why we decided to certify with ISO 27001 and BS 10008 before even bringing any customers on board.‚ÄĚ

The challenge: Navigating the certification process

While Simon and Chief Technology Officer, Jorge Galrito, understood the risks to information security within their business, they knew achieving both ISO 27001 and BS 10008 certification at once was no mean feat, and was a full time job in itself.  

 That’s why they decided to hire an external consultant to help them assess the risks as well as ensure they had all the correct documentation in place for the audit carried out by the external UKAS accredited body, British Standards Institute (BSI Assurance UK Ltd). 

"Jorge and I purchased the ISO 27001 and BS 10008 standards and read them cover to cover. However, we found it difficult to know exactly what documentation was required. The implementation is essentially like a black box and unless you’ve done it before it’s hard to navigate"

The solution: Bring Digital Octopii on board to achieve certification

Kulpa chose Digital Octopii to help them certify with ISO 27001 and BS 10008 for three main reasons. 

Deep understanding of the standards

‚ÄúFrom the very first call we had with Digital Octopii, it was clear they had extensive knowledge of the standards. After having a two day workshop with another consultant, where we left with limited knowledge of what an ISMS was and how it related to our business, we welcomed Digital Octopii‚Äôs interactive approach and understood exactly what we needed to do to achieve certification,‚ÄĚ said Simon.

Willingness to work remotely

Where other consultants had insisted on needing to conduct work on the premises (despite Kulpa being a fully remote company), Digital Octopii had no issues with conducting the entire project online.

Digital Octopii’s website

The website had clear, well-written information on ISO 27001 and BS 10008 standards which gave Simon and Jorge the confidence they needed to move forwards with certifying.

‚ÄúThe penny dropped for my CTO and I on the very first call with Elisabeth when she explained the entire process and objectives. Her presentation was very clear and it gave us a good understanding of what we were trying to achieve by certifying.‚ÄĚ

Determining the objectives and scope

Kulpa, with the assistance of Elisabeth Belisle, Associate Consultant of BSI and Managing Director of Digital Octopii, started by outlining the objectives and scope of the implementation. Together they ensured everyone involved knew what they were trying to achieve in certifying. 

As part of this phase, they considered their business processes and created high level process maps to understand where the information they wanted to protect was held, in which systems and networks it resided, who was responsible for it and who had access to it.  

Assets and risks

Kulpa then went on to make an inventory of their information assets (e.g. hardware, software, databases, cloud services, supplier and partner relationships, personnel involved). At this stage, they decided to reduce the number of suppliers they had to increase security, including creating a policy to ensure every key supplier had ISO 27001 certification. 

Elisabeth then proposed an asset-threat-vulnerability approach to identify and score risks, using the inventory of assets as a starting point. For each category of assets, the threats (theft, human error, malware etc) to those assets; and their vulnerabilities (e.g. lack of relevant employee security training) were considered and scored accordingly. 

‚ÄúWe had been through a risk assessment with another consultant in the past. We were asked what risks we had in our business and naturally, we thought we had considered them all (12 in total). However, we soon found this was not the case when we went through the same process with Elisabeth. She had created a spreadsheet that outlined pretty much all the possible risks a business could ever have and asked us which risks were applicable to our business. Using this framework allowed us to consider risks we had not thought about ourselves and as a result we identified 587 risks. While it took us significantly longer to evaluate the risks, going into this much granular detail made us feel confident we had covered all potential risks and therefore would successfully pass the stage 1 audit,‚ÄĚ

Once risks had been identified, a risk treatment was decided, whereby Kulpa changed the likelihood of a risk occurring and/or changed the severity of the consequences if it were to occur. In both cases, this was done through a ‚Äėcontrol‚Äô. ISO 27001 proposes a list of 114 controls, each of which must be considered, and their inclusion/exclusion justified. This list helped the business form their Statement of Applicability.¬†

The structure of the ISMS - policies and procedures

Once these exercises had been completed, Simon and Jorge¬†had a very clear¬†understanding of what¬†an information security management system¬†was, what¬†ISO 27001 and BS 10008 was all about and how¬†those standards¬†applied to their business¬†in a practical and pragmatic way.¬† At that point they were ready to¬†assemble¬†their documentation ‚ÄĒ that being their written policies and procedures describing how they would operate their ISMS.¬†¬†

Kulpa were very clear they didn’t want to create a mountain of documentation and were keen for the ISMS to be documented in as few documents as possible and integrate with their existing Azure DevOps tenancy. With the help of Elisabeth, Simon and Jorge produced a compact, interrelated documentation set of only 20 documents to cover both standards within the Azure DevOps git wiki and using their existing board to manage their ISMS. 

At the same time, they implemented their technical risk mitigating solutions. 

‚ÄúBased on the risks Elisabeth helped us to identify we decided to drop a number of individual technical solutions and use Microsoft services which covered a range of solutions we needed. This was really valuable as it allowed us to increase compliance and reduce overall complexity in our business,‚ÄĚ

An example of where Kulpa implemented a new technical solution was around their Bring Your Own Device (BYOD) policy. Whilst it is advantageous for employees to use personal devices to carry out work in some ways, this policy also presented risks to information security, mainly around malware and loss of devices. After recognising just how many associated risks there were in relation to BYOD thanks to Elisabeth’s risk framework, Simon and Jorge decided to implement Microsoft Intune which allows them to delete data from the device should it be wiped or a gross misconduct incident take place, for example. This solution has decreased the associated risk level from amber to green. 

The results: Stage 1 & 2 audits passed for both ISO 27001 and BS 10008

The collaboration between Kulpa and Digital Octopii resulted in the business achieving stage 1 certification in just 5 weeks with only 1 minor conformity which was actioned in 24 hours. 

 ‚ÄúThe speed at which we were able to achieve our stage 1 audit was undeniably impressive. Digital Octopii’s availability played a huge part in this. Implementing these standards is very much a stepbystep process and Elisabeth was always on hand to review our work and move us onto the next step quickly and efficiently,‚ÄĚ said Simon. 

With their documentation now in place, Kulpa complies with ISO 27001 and BS 10008. They have also taken the necessary steps to operate their ISMS by implementing the audit plan, with the help of Digital Octopii, to manage the risks and issues arising. 

 ‚ÄúRegular internal audits, measurements (e.g. key performance indicators) and monitoring is always required to verify if the policies and procedures are indeed managing risks, if people are following them and if technology solutions are working. We have helped Kulpa navigate this phase in preparation for their stage 2 audit, which they have now passed with flying colours. They now have peace of mind that all risks to their information are considered and being managed successfully, said Elisabeth.‚ÄĚ

No matter what phase your ISO 27001 ISMS or BS 10008 project is in, we can support you.

As Associate Consultants of the British Standards Institute, we are recognised experts in this field. We will help you become compliant to one of the above standards; whether you want to obtain certification by BSI or another UKAS accredited body ‚Äď or whether you just want to improve your current practices.

BSI associate consultant logo

Not sure which standard is best for you or where to start?