From Hesitation to Certification OBI Services’ ISO 27001 Success with MaxiCert
Introduction
OBI Services is a Philippines-based outsourcing and IT-enabled service provider offering customer support, back-office solutions, and IT services to global clients. Handling sensitive data such as Personally Identifiable Information (PII), financial records, and confidential business information, the company recognized that a robust information security management system was essential to maintain client trust and comply with international regulations like GDPR.
While OBI Services had basic IT controls—firewalls, antivirus tools, and password policies—they understood that ad hoc measures were insufficient. Clients increasingly demanded contractual guarantees on data protection, making ISO 27001 certification not only a requirement but a competitive advantage.
Challenges
OBI Services faced several hurdles before embarking on their ISO 27001 journey:
- Trust Concerns – Management hesitated to engage a consultant outside the Philippines.
- Skepticism About Results – They wanted assurance that certification could be achieved within budget and timeline.
- Lack of Internal Expertise – The organization had no prior experience implementing ISO 27001 and required a structured roadmap.
MaxiCert needed to demonstrate credibility, build trust, and provide a clear, actionable plan to address these challenges.
Request A Free Quote
Building Trust
To overcome initial hesitation, MaxiCert implemented a transparent approach:
- Client References – Shared past ISO 27001 project successes to demonstrate capability.
- Payment Flexibility – Offered OBI Services a model where payment would be made after receiving the certification soft copy.
- Detailed Consultation – Conducted management-level meetings and multiple follow-ups to clarify the certification process, benefits, and risks of inaction.
This approach reassured OBI Services, paving the way for a collaborative partnership.
Implementation Journey
Awareness & Planning
The engagement began with an introductory session for management covering:
- ISO 27001 principles and benefits
- Certification requirements and stages
- Key implementation milestones
A detailed Gantt chart outlined each step, from documentation preparation to external audit.
Step 1 – Leadership & CISO Appointment
- Appointed Ms. Kristine Orevillo as Chief Information Security Officer (CISO).
- Conducted awareness training to ensure she understood responsibilities and the ISMS framework.
Step 2 – Documentation Framework
- Provided templates and guided preparation of Master List of Documents and Document Control Procedure.
- Defined the ISMS Scope Statement to establish clear boundaries for implementation.
Step 3 – Context & Policy Development
- Performed Context of the Organization (COTO) analysis and SWOT assessment.
- Drafted and approved the ISMS Policy, aligning with organizational objectives and regulatory requirements.
Step 4 – Governance Matrices
- Developed RACI Matrix to assign roles and responsibilities.
- Created Objective Matrix for security goals.
- Built a comprehensive Asset Inventory List for IT and operational assets.
Step 5 – Core IT Controls
- Drafted IT Security Policies & Procedures.
- Defined Access Control Policy and Data Backup & Recovery Policy.
Step 6 – Data Protection & User Management
- Developed Data Protection & Privacy Policy.
- Documented Password Management and User Access Management Procedures.
Step 7 – Operational Processes
- Drafted SOPs for all departments.
- Created Customer Feedback Form and Customer Complaint Handling Procedure.
Step 8 – Risk & Continuity Management
- Built a Risk Register capturing threats and vulnerabilities.
- Developed Statement of Applicability (SoA) mapping Annex A controls.
- Finalized a Business Continuity Plan (BCP).
Step 9 – Internal Audit Readiness
- Documented Internal Audit Procedure and provided a checklist aligned with ISO 27001.
Step 10 – Employee Awareness
- Conducted company-wide training for 200+ employees to build a security-conscious culture.
Step 11 – Internal Audit & Corrective Actions
- Supported OBI Services in conducting their first internal audit.
- Identified minor nonconformities, initiated corrective actions, and conducted a Management Review Meeting.
- Follow-up audit confirmed readiness for certification.
Step 12 – External Certification Audit
- Coordinated Stage 1 (documentation audit) and Stage 2 (implementation audit) with the certification body.
- Achieved ISO 27001:2022 certification with only minor findings, all resolved prior to final approval.
Results
- ISO 27001 Certification achieved on schedule.
- Enhanced client trust, strengthening OBI Services’ competitive position.
- Formalized IT policies, risk management, and continuity planning, improving security posture.
- Increased employee awareness, with over 200 staff trained.
- Operational efficiency gained by aligning processes with international standards.
Technical Highlights: ISO 27001 Implementation at OBI Services
- Risk Assessment & Risk Register
- Identified threats and vulnerabilities across IT systems, operations, and personnel.
- Assessed likelihood and impact of each risk.
- Assigned risk owners and defined mitigation measures.
- Monitored residual risks for continual improvement.
Example Entries:
Asset | Threat | Vulnerability | Risk Level | Owner | Mitigation |
Customer Database | Unauthorized access | Weak password policy | High | IT Manager | Implement Access Control Policy |
- Statement of Applicability (SoA)
- Mapped Annex A controls to organizational processes.
- Justified inclusion/exclusion of each control.
- Ensured alignment between risk treatment and implemented controls.
Example Entries:
Control | Implemented | Justification | Status |
A.9 Access Control | Yes | To protect sensitive client data | Implemented |
A.12.3 Backup | Yes | Ensure business continuity | Implemented |
- Asset Inventory
- Catalogued all IT assets, information assets, and operational assets.
- Classified data according to sensitivity.
- Assigned owners and custodians for accountability.
Example Entries:
Asset | Type | Owner | Classification |
Customer Database | Digital | IT Manager | Confidential |
Employee Records | Digital | HR | Sensitive |
- Business Continuity Plan (BCP)
- Prepared to handle disruptions, system failures, or security incidents.
- Defined recovery strategies for critical services.
- Included communication plan, backup procedures, and responsibilities.
Example Sections:
- Critical IT Services & Dependencies
- Backup & Recovery Procedures
- Emergency Contacts & Responsibilities
- Communication & Escalation Protocols
- Policies & Procedures Developed
- Information Security Policy
- Access Control Policy
- Data Protection & Privacy Policy
- Password Management & User Access Procedures
- Internal Audit Procedure
- Incident Management Procedure
- Employee Awareness & Training
- Over 200 employees trained on security practices.
- Simulations, SOP walkthroughs, and policy briefings to embed security culture.
This section can be graphically enhanced with:
- Tables like above
- Flowcharts for Risk Assessment → Mitigation → Monitoring
- Icons for Policy, Training, Risk, and Audit
Conclusion
OBI Services’ ISO 27001 journey with MaxiCert demonstrates how a structured, technical, and supportive approach can make a complex standard achievable. From initial hesitation to certification, MaxiCert guided the organization through leadership training, documentation preparation, risk and control implementation, internal audits, and external certification.
For OBI Services, ISO 27001 is now more than compliance; it is a foundation for client confidence, operational resilience, and sustainable growth.
Get In Touch
Get In Touch
Get In Touch
Need A Free Estimate?
Get a free consultation and Checklist to get certified for ISO , HALAL, CE Mark Certification.
FAQ
Why did OBI Services choose ISO 27001 certification?
OBI Services aimed to strengthen data protection and meet international standards for information security. As they handle sensitive client data, ISO 27001 certification helped them ensure compliance, build trust, and attract more global clients.
How did MaxiCert help OBI Services achieve ISO 27001 certification?
MaxiCert provided a complete roadmap—from policy creation and risk assessment to training and audit readiness. Their transparent approach, expert guidance, and post-certification support ensured OBI Services achieved ISO 27001 successfully and within budget.
What were the main benefits after ISO 27001 certification?
Enhanced client confidence and brand reputation
Improved IT and data management systems
Formalized information security processes
Better risk mitigation and business continuity
Empowered employees with strong security awareness
How can other companies get ISO 27001 certified with MaxiCert?
Getting ISO 27001 certified with MaxiCert is simple.
Contact MaxiCert’s consultants for a free consultation.
Get a customized roadmap based on your company’s needs.
Implement ISO 27001 standards with guided support.
Undergo internal and external audits to achieve certification.
MaxiCert is among the best ISO consultants for ISO 27001 and other global standards, offering expert-led certification services worldwide.