How AAG IT retained ISO27001 certification

Why ISO27001 Matters to Us

At AAG IT Services, information security isn’t just another checkbox, it’s the backbone of our 24/7 Managed IT Support and Cyber Security Services. Our customers rely on us to protect their data around the clock, and we’ve seen how highly targeted MSPs have been in the past few years.

That’s why we invested in ISO/IEC 27001:2022, and have done for almost 10 years, and why I lead the charge every day to keep our guards up and our processes watertight.

The Audit: Three Days of Rigorous Scrutiny

I won’t sugar-coat it, three days under the microscope feels like walking a tightrope in Storm Floris we’ve just experienced. Our external auditor drilled into every corner of our management system:

1. Policies and Procedures
2. Asset Management
3. Supplier Onboarding
4. New User / Leaver Processes
5. Backup & Disaster-Recovery Plans
6. Training & Awareness
7. Risk Assessment & Management

Honk Channel:

Lucy, you were an absolute star, my last-minute requests for information were dealt with, with such professionalism.

One thing you can do today

As I said, there’s no hiding from the fact that the process is resource-consuming, the biggest challenge I’ve seen organisations hit is a lack of regular cyber security training for employees. Forget going for ISO accreditations, this is a must-have for anyone operating a business.

Therefore, if you only do one thing today, start cyber security training for your team. It’s not just about ticking a box; it’s about protecting your business every day. In 2024, human error contributed to 95% of data breaches. Well-trained staff are your first line of defence against cyber threats, reducing costly breaches, avoiding downtime, meeting client expectations, and building trust. You can look at it this way:

• Risk reduction → fewer incidents, less downtime
• Cost avoidance → breaches are expensive
• Client confidence → stronger reputation, more trust
• Compliance readiness → progress towards ISO27001
• Culture of security → lasting benefit, not just a project

The National Cyber Security Centre has a great “10 steps to Cyber Security” that you can follow.

What cyber security training can my business implement?

Every single business has this same weak point in their IT security, and that is their employees. Not through any malicious act, employees can allow hackers into business digital infrastructure if they fall victim to a phishing attack. This leads to data breaches, data loss, credential theft, compliance violations and hefty fines.

Studies show 56% of all targeted phishing attacks bypass legacy security filters, and although phishing is the most common form of successful attack, there’s a whole host of other considerations. From brute forcing passwords or poor security setups when working from home, right through to not enabling MFA, here’s the cyber security services we provide to help support your business:

Phishing Awareness & Simulation
We run realistic, bespoke phishing drills so your team learns to spot dodgy links and spoofed senders in the wild.

Password Hygiene & MFA Masterclass
From crafting uncrackable passphrases to rolling out multi-factor authentication, we’ll show your people how to lock down credentials.

Secure Remote Working
We’ll walk your team through safe VPN use, secure Wi-Fi setups, and handling sensitive data on the go. We’ll cover the dos and don’ts of hot-desking and coffee-shop hotspots so you don’t end up on someone’s “most-leaked passwords” list.

Data Handling & GDPR Essentials
We’ll dig into data-protection principles, secure file-sharing tools and breach-reporting protocols – all mapped to UK GDPR requirements, so you stay on the right side of the ICO.

Incident Response Table-Tops
We’ll facilitate hands-on, scenario-driven exercises where your leadership team practices spotting, containing and reporting security incidents in real time.

Penetration Testing
For the tech folk: we’ll run pen tests to identify vulnerabilities on a network that cyber criminals could exploit.