Aires is a global relocation company that uses advanced technology to deliver the highest quality service to its customers. Like many modern enterprises, Aires has embraced digital transformation initiatives, such as agile software development, to drive business growth. Aires values trust and building relationships as an additional business driver.
Aires is building a strategic compliance program that avoids tactical audits and transactional auditors in favor of a sustained relationship with A-LIGN that delivers continuous value over time. Having already established certification with ISO 27001, Aires has turned its attention to two relatively new frameworks, ISO 27701 and CMMC, to drive its next wave of business growth. A-LIGN is streamlining the audit process for Aires.
From ISO 27001 to ISO 27701 and CMMC
As a global relocation provider, Aires is interested in growing its presence with government prime contractors. Aires’ Information Privacy Officer, Pete McShea, a retired military officer with experience working in the Pentagon, knows that compliance with the Defense Federal Acquisition Regulations (DFARS) is the best way to compete in this market.
McShea was considering an NIST 800-171 certification, when the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)) introduced the Cybersecurity Maturity Model Certification (CMMC). Aires was already well on the way toward qualifying for CMMC Level 3 because of its ISO 27001 certification. Its only gap was a privacy certification, ISO 27701, which had already become a focus for Aires because so much of its multinational business is concerned with GDPR.
Already on the way toward qualifying for CMMC Level 3, ISO 27701 became a focus for Aires because so much of its multinational business is concerned with GDPR.
“We transfer people to, from, and within Europe – and all over the world – so data privacy is a huge deal. ISO 27701 seemed like it would be an important certification to obtain,” said McShea.
Whereas ISO 27001 is a well-established framework for an information security management system (ISMS), ISO 27701 is a recently introduced extension for a privacy information management system (PIMS).
When McShea first joined Aires, one of his first projects was to help the company achieve ISO 27001 certification. ISO 27001 laid the groundwork for how an ISO audit works, so that Aires knew what to expect for its ISO 27701 audit. Meanwhile, Aires’ business continuity plan prepared it for a global pandemic. Almost overnight, Aires transitioned from hundreds of employees working in offices around the world to 100% work-from-home – all while it prepared for its upcoming audit.
The real value of working with A-LIGN is that we’re building a relationship … it is an iterative process to improve our business with each audit.
Information Privacy Officer
Strategic Compliance and Remote Audits
Aires is adopting a strategic approach to compliance by consolidating its audits with A-LIGN. When McShea started to examine the value of CMMC, he knew he could turn to A-LIGN because they had built a trusted relationship. Together, they analyzed the positive benefits of a CMMC certification, and how ISO 27701 could help bring Aires closer to its goals.
McShea appreciates the relationship he has with A-LIGN. “A lot of companies start the audit like it’s a final exam,” he said. “But Aires doesn’t, and A-LIGN doesn’t. Of course they test the controls, they look at the evidence, they hold us to all the standards, but the real value is that A-LIGN is going to find some processes we can improve or make some suggestions that would be better.”
For McShea, the remote audit was a new experience but one that went smoothly. That is because A-LIGN has been conducting remote audits for more than a decade. Its best practices include a well-defined audit plan, constant communication, and the use of its own advanced technology platform, A-SCEND.
Speak with a compliance expert today.
Instant Credibility and Long-Term Success
In April 2020, Aires was proud to announce that it had become one of the first companies in the world to achieve ISO 27701 certification. For McShea, the instant credibility is key.
“When we do business with multinational corporations in Europe, Aires must establish credibility about our privacy. We could say ‘We’ve been in business for a long time,’ or ‘We have the education and background,” but when we say, ‘We have an ISO 27701 certification,’ they say ‘We get it. You’ve been audited to an international standard, so you know what we’re talking about here.’ It is proof that we understand the subject,” said McShea.
Beyond the instant credibility, McShea also appreciates how A-LIGN has positioned Aires for long-term success. “Another thing I like about A-LIGN is that they keep coming back with more ideas for improvement. Every audit, we find some things that could be better, we implement those enhancements, and we keep making progress. It’s a good relationship for Aires.”
Copyright © 2020. All rights reserved.