Why Paragon Trains EVERY Employee in ISO 9001 and 27001

A Q&A with Ramakrishna Prasad, Director, Paragon Digital Services Media Security Team

Achieving any kind of ISO certification isn’t an easy process. It requires painstaking planning, meticulous documentation, and continuous training. At Paragon Digital Services, every employee, regardless of role, is trained in information security and data privacy, making these principles part of our DNA. To understand why Paragon prioritizes extensive training and what it means for new hires and daily operations, I spoke with Ramakrishna Prasad, [title]. In this interview, he delves into Paragon’s impressive achievements in obtaining ISO certifications and the lengths we go to ensure every team member is fully equipped to uphold these standards.

DT: First, let’s get a lay of the land. What ISO certifications has Paragon Digital Services achieved?

RP: We have achieved ISO 9001:2015 and ISO 27701. At a high level, ISO 9001 ensures that we have a quality management system (QMS) in place to meet our client’s unique campaign delivery requirements and expectations, while ISO 27701 ensures that we are able to keep all campaign and PII data secure, and that we comply with all consumer data privacy and protection laws.

DT: What does the ISO 9001 certification cover?

RP: ISO 9001 lays out some specific requirements with regards to digital advertising operations. For instance, it requires us to define and document our processes for campaign planning, execution, monitoring, and optimization. Additionally, we need to design and implement quality control measures to ensure campaign accuracy, as well as compliance with our client’s unique specifications.

What’s more, we need to establish KPIs and metrics to monitor both campaign performance and client satisfaction. Finally, we need a process for achieving continuous improvement, based on feedback and data analytics.

DT: ISO 9001 certification isn’t a requirement for outsourcing firms like Paragon, so why did we go through the process?

RP: The driving force behind ISO 9001 is to ensure that we’ve done everything we can to help our clients succeed with their campaigns so that they can grow their business. In other words, it tells our clients that we are organized in such a way that we can do the things we say we will do, and that we can do them extremely well.

Training plays a critical role in this promise, and in many ways, it’s the crux of our certification. We don’t simply train the operations team; everyone is training, including support functions like IT and HR.

DT: What is the training process like? Is it one-and-done or something more involved?

RP: It’s definitely not one-and-done. Of course, all new hires receive extensive training in QMS. On top of that, all employees receive refresher training on a quarterly basis so that QMS is top of mind for all employees. This training encompasses all aspects of QMS: what it is, how we document things, a review of all internal processes, change management, improvements we’ve made since the last training, and so on. It’s very comprehensive.

But keep in mind, that’s not all we do; we also conduct an internal audit and a management review meeting. The training, audit, and management review are essential for ISO certifications, irrespective of the number, because ISO certifications require the organization to define a process for continual improvement.

DT: What is involved in ISO 9001 certification?

RP: The first step is to do a feasibility study to ensure we can meet the standards requirements set by the global ISO governing body.

The feasibility study is to identify any gaps to ensure we are aligned with the ISO 9000 requirements. If there are any gaps, we must tailor our Quality Management System (QMS) accordingly. The QMS includes processes, procedures, guidelines, and requirements tailored to our digital advertising industry to meet the standard requirements, as well as the client’s unique requirements. And of course, the training we just talked about is a critical component to ensure compliance and effectiveness.

DT: What is the ISO 27001 certification?

RP: This certification lays out the requirements for setting up, running, maintaining, and constantly improving an information security management system (ISMS). This work must be done in the context of the business itself, which in Paragon’s case is digital advertising operations. As such, ISO 27001 means we need to ensure that robust security measures are in place to protect sensitive information and data assets.

DT: What does that mean exactly?

RP:Well, it defines what data is protected, and how that protected data is handled. If a Paragon team member needs to access that data for any reason, they must follow a defined process with applicable controls in place.

Some of those requirements are legal. For instance, GDPR requires organizations to implement robust technical and organizational measures to protect personal data against unauthorized access, loss, or disclosure.

DT: And employee training is equally important to ISO 27001 as it is to ISO 9001?

RP:Absolutely. All new employees—whether they’re in operations or a support function like IT or HR—are required to go through exhaustive training on information security and data privacy. The entire company has mandatory training on information security, which must be completed once a quarter. Additionally, all employees receive an InfoSec pledge via email, which they must read and accept. This pledge outlines all the do’s and don’ts of information security, detailing what an employee is expected to do and avoid, according to the internally defined standards.

We buttress that InfoSec pledge with something we call our Daily Flyer, which is an email containing a reminder of a security best practice. Every day we highlight a different best practice, just to remind all employees that information security and data privacy are their responsibility.

DT: New scams and security threats arise daily. How do you inform teams of new threats?

RP: We have a WhatsApp group of all key stakeholders which we use to raise any new scams that have emerged and to keep our teams updated on changes in local regulations. They can then share this information with their teams to ensure everyone remains vigilant.

We also have Security Town Halls, which are company-wide events to review real-life cases of fraud or security breaches that may have occurred. For example, if one of our employees has fallen victim to a social engineering scam—say downloading a job description that installed malware on their computer—we review it with the entire company so that everyone understands how to identify and avoid those scams.

Fortunately, our training has been successful in making our employees aware of these risks and they rarely fall victim.

DT: Do other industries have daily emails and WhatsApp groups to cover information security and data privacy?

RP: Generally, no. It is Paragon’s belief that digital advertising is more vulnerable than many other industries. We see more attacks aimed at our industry, whether that’s malvertising, malware, phishing, social engineering attacks, and so on. And these attacks occur in every channel, including the web, mobile, social media, you name it.

For this reason, we go the extra mile, earning 27001 certification, taking all employees through extensive training, hosting Security Town Halls, sending Daily Flyers, and organizing the WhatsApp group.

DT: I can see why it’s important to do all those things, but how can our industry be more vulnerable than banking or e-commerce? They face threats all the time.

RP: They do, but they also have very robust security procedures in place, similar to what we at Paragon have put in place. But keep in mind, we are unique in the industry. There aren’t a lot of outsourcing companies—I can’t think of any, actually—that have achieved and maintained these ISO certifications or who have established a training regime similar to ours. So while Paragon is secure, we can’t say the entire industry is equally fortified.

DT: So our certifications are a competitive advantage?

RP: They are indeed. Going further, because we have an infrastructure in place for ensuring compliance and continual improvement, we are in a position to meet the information security and data privacy requirements that may be unique to other industries. Take healthcare, which is governed by HIPAA. At present, we don’t have any healthcare clients, but if such a company were to come to us, we have the necessary pieces in place to train our employees to comply with HIPAA, and to protect healthcare data.

DT: Tell us about Paragon’s internal auditors?

RP: These are employees who serve as references for other employees. They can answer detailed questions about our QMS and InfoSec processes, as well as spot-check to ensure every team member is following the correct procedures. I personally train those internal auditors to ensure they are well-versed in the certifications, requirements, and processes we’ve defined.

DT: Sounds like you have covered all of the bases.

RP: That is certainly Paragon’s goal. But keep in mind, that we are on a journey of continuous improvement, so if someone has a great suggestion, we’ll implement it.