Published on June 18, 2026

At Brunei Shell Petroleum Company Sdn Bhd (BSP), we have vast data and information in running our day-to-day business. Information is more than just an asset; it is a critical element in decision-making, communication, innovation, and the achievement of business goals. It is fundamental to a company’s existence, but in an era of sophisticated cyber threats, a challenge is imposed to every organisation out there: how prepared are we when it comes to protecting our data and information?

Safeguarding our data isn't optional, it’s essential and this is the story of our journey towards ISO/IEC 27001 (International Organization for Standardization) certification. For us, this journey is about more than hanging a certificate on the wall; it is a catalyst to transform how we manage risk and embed security into our daily work culture. It required us to bridge the gap between three essential pillars: People, Process, and Technology.

From Conversation to Certification

A simple conversation in 2023 became a trigger to a series of actions:

“Are we doing enough to protect what matters most?”

The honest discussion quickly turned into intent. With full endorsement from the IT leadership team, a green light was granted for BSP to pursue ISO 27001 certification. But this was no feat for an individual, it required the full collaboration from the business from one end to the other.

What followed was a year of transformation that broke down departmental silos. This wasn't just an "IT project"; it became a common language spoken across different directorates. The project brought together risk owners, process stakeholders, and experts from every corner of the organisation.

The road wasn't always smooth, there were intense audits, rigorous milestones, and those inevitable moments of uncertainty. But with every challenge came a new level of clarity. BSP did not emerge with just a certificate, but with a stronger, more aligned team that views security as a shared responsibility.

“When we decided to pursue ISO27001 certification, we were aware that its process and journey weren't going to be straightforward. We accepted it as a learning journey worth going through as we were keen to understand our strengths as well as our developmental needs. We weren't looking to seek perfection. As a learning organisation, ISO27001 certification allows us to continuously improve our capabilities in an external benchmarked and structured process,” Shared Hjh Sofiah Umar, BSP Chief Information and Digital Officer.

Why This Certification Matters

Achieving ISO 27001 was a proud milestone, but the true value isn’t the certificate itself—it’s the resilient foundation that was demonstrated by the people involved. Today, the company didn’t only walk away with just a credential, it gained:

• Strategic Foresight: A structured way to hunt for and neutralize risks before they become issues.
• Total Visibility: A clear map of our information assets and their vital role in our daily operations.
• Kinetic Firewall: Robust safeguards that protect us against an ever-changing threat landscape.
• Business Continuity: The readiness to respond to disruptions without missing a beat.

Perhaps most importantly, there was a shift on the overall culture and attitude on information security – it was no longer an "IT problem”, it’s a shared responsibility that all carried.

Kenneth Tew, BSP Head of Information Risk Management (IRM) and Cybersecurity, stated that ISO 27001 taught everyone that security isn’t a department; it’s a relationship build and promises made together to manage the known risks.

“The most valuable part of ISO 27001 was learning to be honest with ourselves and the moment everyone starts feeling responsible, the journey becomes easier.” He further shared.

It Takes a Village (and a Lot of Audits)

This certification marks an important milestone in the company’s journey towards operational excellence and information security. More than a testament to compliance, it reflects the organisation’s growing professional maturity and unwavering commitment to setting high standards across every aspect of its work.

This was a massive, collective lift that often happened behind the scenes. It took countless hours of brainstorming, cross-departmental coordination, and securing the buy-in needed to move such a large ship in a new direction. The journey was demanding, but it revealed a heartening truth: When something is good for the organization, our Orang Kitani rise to the occasion.

From every directorate and department, people stepped forward to lend their expertise. This achievement belongs to everyone who helped foster a culture of accountability and excellence.

“When we started ISO27001 journey, we thought we were building a framework. What we didn't expect was how much it would shape our mindset, our discipline, and the way we work together. Getting certified was the goal but becoming a stronger, more resilient, and security-conscious organization, that was a real reward and true transformation,” shared Mahdiana Mahmud, Senior IRM Advisory Lead.

 

 

The Road Ahead

If you think of certification as a finish line, think again. In the world of security, it’s actually the starting blocks.

ISO 27001 is a "living" standard. It requires us to stay curious, stay vigilant, and constantly refine our systems. As technologies shift and threats evolve, so must we. Our real success won’t be measured by the day we received the certificate, but by how we sustain this momentum—embedding security into every decision we make and every project we launch.

Looking back, the pursuit of ISO 27001 was never just about compliance. It was about asking the difficult questions, building a stronger foundation, and holding ourselves to a higher standard of excellence. And that is a journey truly worth celebrating.

“I'm very proud of the strong collaboration between our business stakeholders and our team, which was instrumental in achieving this certification. More importantly, the certification is not an end in itself, but a platform that enables us to further strengthen our cybersecurity capabilities and build lasting credibility” Hjh Sofiah Umar added.