Crownpeak Centralise and Enhance Information Security Post-Acquisition

Crownpeak is a cloud-first Digital Experience Management (DXM) platform designed to help global enterprises deliver consistent, high-quality digital experiences across web, mobile, and other digital channels.

In 2023, they acquired two other organisations who were already ISO 27001:2013 certified. To implement a consistent control framework across their organisation, they were looking for a partner to help them merge all entities underneath one centrally managed Information Security Management System (ISMS) that aligned with the requirements of ISO 27001:2022. 

The Challenge 

A principal challenge for Crownpeak was that there were different security controls and processes in place across the organisation depending on which entity had implemented them. For example, training and awareness, change management, and incident response were approached differently to reflect the risk appetites of the individual entities. This lack of control made it difficult for Crownpeak to achieve a proactive information security culture and promote a consistent approach to information security across the entire company. 

Engaging our employees within a proactive security culture was important to us but it was a challenge given the different controls and processes in place between ourselves and the acquired organisations. We determined that creating a consistent approach across all the organisations would make it easier for our employees to play a role in the security of the business. 

- Michele Page, Compliance Director, Crownpeak 

There were also differences in the mindset and approach to information security across the entities, and Crownpeak lacked complete visibility as to what legal and regulatory requirements they were expected to comply with across all their jurisdictions. The management of information security risk was also inconsistent, with different methodologies followed and no centralised risk register in place which could provide senior management with the necessary information to evaluate the risk posture of the organisation. 

By achieving ISO 27001 certification, Crownpeak would be able to demonstrate to all their interested parties their commitment to information security and align with a best practice framework of security controls. With Crownpeak staff working across the United States and Europe, putting in place a centralised security control framework was a key factor in deciding to work towards ISO 27001 certification.  

The Solution 

Crownpeak chose to partner with Bridewell as we had previously supported one of the entities purchased by Crownpeak (Attraqt) in achieving ISO 27001 certification. We also maintain a 100% success rate in helping organisations achieve ISO 27001 certification and had previous experience with Crownpeak, having delivered data privacy support services. 

Establishing Ways of Working, Gap Analysis 

We began the engagement by explaining the implementation methodology to Crownpeak’s key stakeholders and agreeing timelines, project assumptions, risks and dependencies. We also used these conversations to clearly understand what was expected from all those involved in the project. 

We then ran an ISO 27001 gap analysis to identify all key stakeholders within the organisation, understand the maturity of information security controls within the organisation and what gaps existed in terms of compliance with ISO 27001 requirements, and build out an implementation roadmap based upon the results of the gap analysis.  

From here, we developed various mechanisms to plan and monitor project activities including weekly project review meetings and the development of activity trackers. We also developed a detailed suite of information security policies and procedures, tailored to reflect the specific requirements of Crownpeak. 

Security Training, Governance Groups 

This was followed by creating and operationalising a new ISMS training programme and co-ordinating a secure development training session for all Crownpeak staff involved in development activities. This led to us also coordinating and leading the annual physical and environmental security review of all in scope locations (including London, Newcastle, Paris, Amsterdam and Sofia).  

At the board level, we supported with the design, implementation and chairing of various new security governance groups including a new Change Advisory Board (CAB) and the Information Security Leadership Board (ISLB). We also defined, assigned and communicated information security roles, responsibilities and authorities to all staff. 

Bridewell have significantly increased the importance we place on cyber security at the board level. They’ve made it easy to understand why it matters, even for non-technical audiences, and this insight has changed attitudes at all levels of the business. The ISMS training programme they’ve developed has pushed us towards that proactive security culture we were looking for.

- Dan Edwards, Director of IT & Security, Crownpeak 

Throughout the engagement, we put a conscious effort into not only implementing all the required controls but also taking the time to educate Crownpeak stakeholders on what we were doing, how we were doing it, and why we were doing. Special accommodations were regularly made to ensure that meetings and workshops could be run with staff members based in the US. 

Audit Programme, Measuring and Monitoring 

During the project, we developed a new internal audit programme for Crownpeak and acted as a lead auditor for their first ISO 27001 internal audit. As part of this, we coordinated the creation of a new ISMS monitoring and measuring process which included the development of strategic information security objectives signed off by senior management which were monitored on a continuous basis using a set of KPIs and KRIs. 

Furthermore, we developed an organisation wide information security risk management programme which included a new centrally managed risk register and monthly risk meetings to monitor identified risks and the effectiveness of all risk treatment plans. To make all ISMS policies and procedures available as documented information for all staff and make it easier to circulate documentation, we then designed and maintained a new Security & Trust Centre. 

Additional Services 

Throughout the engagement, we brought in additional Bridewell service lines to provide data privacy consultancy, vCISO support, and penetration testing as needed. We also provided regular recommendations in relation to new technologies and tools that could be adopted to support control implementation.  

The Results 

Following the project, Crownpeak became ISO 27001 certified with no non-conformities raised by the auditor. More broadly, they benefitted from an improved information security culture across the organisation as well as better oversight and visibility of information security performance. 

Additionally, there is now a well-established information security risk management framework in place and new incident response and business continuity plans that have been successfully tested to evaluate their effectiveness. Information security requirements and considerations have been embedded across a number of key business processes including software development, vendor management, change management and human resources.  

We now have a lot more confidence in our risk management and incident response and continuity plans. Not only have Bridewell helped us mature these areas, but they’ve also clearly explained what they’ve changed and why. The communication has been clear throughout the project and our stakeholders have always had a say, so we’ve always felt like their team is working alongside us rather than forcing change onto us. 

- Michele Page, Compliance Director, Crownpeak