This is how we got our ISO27001 certification

In the age of rapid technological expansion, information security is pivotal for a software company and its products. Confidential processing of information must be assured, as well as its integrity and availability only to the permitted entities. The problem of information security has become even more acute since the very public failure of social media platforms to protect their users' data.

The urgency of having well-established processes in place within IT companies and demonstrated security management pushed them to obtain a form of internationally recognized certification. This kind of certification offers assurances to the companies' prospects, as well as it offers an actionable strategy to shield all obtained data.

ISO 27001 is an international standard on how to manage information security, it is widely known and we proudly announce we obtained it. We now offer our partners and prospects assurance of the dedicated measures we take to reduce the risk of suffering a damaging cyber security breach.

What is ISO 27001?

ISO 27001 is the leading international standard focused on information security that was developed to help organizations, of any size and from any industry, protect their data systematically and cost-effectively through the adoption of an Information Security Management System (ISMS). ISO 27001 is used by organizations to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

ISMS targets three main objectives: confidentiality, integrity, and availability. Confidentiality is secured by offering access to the information to the authorized persons only. The integrity of the information refers to the capacity of modifying the data solely by authorized persons. The availability objective is met at long as the information is available to the authorized entities at all times.

What does it mean for a business to be ISO 270001 certified?

We are enthusiastically talking about the ISO 27001, but what benefits does it bring within the organization and why is it important to obtain it? 

1.It protects our reputation

Information security is serious business, and should not be treated lightly. ISO 27001 compliance enhances our reputation as it demonstrates to the stakeholders that we are constantly planning for information security and it protects us from security threats. 

2.We avoid regulatory fines

We avoid penalties associated with non-compliance with data protection frameworks, such as GDPR (General Data Protection Regulation), by following the ISO 27001 guidelines to secure information. 

https://www.dhirubhai.net/redir/general-malware-page?url=3%2eIt improves our structure and focus

In the process of full expansion, it is easy to neglect details if the focus is lost. ISO 27001 sets the right approaches for information security tasks to remain at the top of our priorities.

4.It reduces the need for frequent audits

ISO 27001 is internationally recognized and it is mandatory in several countries. The global acceptance of this certificate eliminates the need for frequent client audits.

5.It helps retain customers and attract new business

One of the stakeholders' concerns is how their data is being handled and protected. With ISO 27001, we are proving our commitment to meeting the highest standards of information security not only to our existing partners but to future clients as well. We consider the certification another layer of trust we build in the relationships we nurture.

6.It ensures the implementation of best practices

ISO 27001 means a coherent information security management strategy, which includes keeping systems up to date, clear steps for a cyber-attack resilient firewall and instructions for all employees to confirm they respect the protocols. It is worth mentioning ISO 27001 framework is not limited to the mentioned measures, as it is more complex and thorough. In the eventuality of a security breach, the information security management strategy demonstrates we evaluated the risks, helps us report the cyberattack and keeps the damage as minimal as possible.

7.It promotes compliance with commercial, contractual and legal requirements

ISO 27001 addresses the subject of compliance with legal and contractual requirements. Therefore, we ensure we are up-to-date with documentation, legislation and regulations that affect the business objectives and compliance with legal and contractual requirements.

8.Continuous monitoring and prevention of risks

Implementing ISO-compliant ISMS helps create strong, tested protocols for data protection, which results in a clear picture of the company’s current standings and security processes, along with an outline of what is needed to satisfy functional, legal, regulatory and clients’ requirements. Consistent monitoring of these aspects confirms that they function as intended and potential weak spots are identified before they open the gate for data breaches.

How we prepared to obtain ISO 270001

1.Preparation

We did the research and wrote down all the reasons we needed ISO 27001, the benefits it brings, and what steps we have to take to bring the certification home. 

2.Establishment of the context, scope, and objectives

We established the objectives and resources we needed to obtain ISO 27001, which included project costs and a clear timeframe. External support was contracted to supervise the project and check our certification journey. To develop the scope, we took into consideration the requirements of our partners and clients across the whole organization. Furthermore, the context was established by pinning down the factors that could influence the company’s information security (such as existing systems and processes, risk acceptance criteria, etc.).

3.Establishment of the management framework

The processes we needed to follow to meet the ISO 27001 implementation objectives, such as asserting accountability of the ISMS and a schedule of activities, set the seal on the management framework.

4.Conduction of a risk assessment

A baseline security criteria of the company’s business, legal and regulatory requirements were established before conducting a risk assessment. Although the latter is a formal process, it still implied planning and recording the data and results.

5.Implementation of controls to mitigate risks

The risks identified during the previous step were classified into four categories which dictated how to handle them: treat, tolerate, terminate, transfer. All risks had to be documented for the auditor and comprised in a Risk Treatment Plan report.

6.Training

Information security awareness programs had to be implemented to secure shielding policies among employees. We rely on them to ensure compliance, therefore we needed to minimize the learning curve and be as supportive as possible while adopting the new policies.

7.Reviewing and updating the required documentation

ISMS policies, processes, and procedures have to be supported by documentation. Obtaining ISO 27001 required a significant amount of paperwork, including the scope of the ISMS, the information security policy, the information security objectives, and many more.

8.Measure, monitor, and review

ISO 27001 means the company is subject to continual improvement when it comes to ISMS. The effectiveness and compliance with ISMS are constantly analyzed and reviewed while keeping the radar on possible improvements to the protocols.

9.Conducting internal audits

ISO 27001 requires internal audits of the ISMS at planned intervals. We have a designated staff member responsible for implementing and maintaining the ISO 27001 compliance, who arranges the periodical internal audits.

10.Going through registration/certification audits

The registration audit consisted of the assessment of the required documentation of ISO 27001. Once we got a green light for the first stage of the process, the certification audit followed, which meant a thorough assessment of the compliance with ISO 27001 standards. 

Our efforts were recognized and rewarded with the ISO 27001 certification, and we plan on staying on top of the industry’s standards. We are ready to get involved with projects of higher complexity as we have proven our keenness on details. 

We were prepared to demonstrate to our stakeholders that we comply with international standards for information security even before obtaining the certification, yet we secured a smoother process of this aspect and we are now authorized by a trusted entity.