While April came with a new certification (ISO 9001:2015 for Quality Management Systems) we’ve been holding the ISO 27001:2017 for Information Security Management Systems for more than 2 years now. But, it’s never too late to talk about an achievement, right?
In the following lines we’ll talk about what the ISO 27001:2017 certificate for Information Security Management means and why it’s important to collaborate with an organization that holds this certificate. And, why you should make sure the organization still has that certification valid, as recertifications happen once every 3 years.
ISO stands for International Organization for Standardization. Long-story short, these guys show up at your company’s door and check how you do what you do. If your way of doing things matches the high standards they are looking for, they will reward you with a diploma. Once you get that diploma, you can use it to prove to clients that you’re good at that specific thing.
There are more types of certificates you can apply for. Each focuses on a specific area of interest related to your business. For example, if you are a food producer, you can apply to get the ISO 22000 Food Safety Management certification. And, you can let your clients know about how your food respects all the safety standards.
Evozon currently has 2 ISO certifications:
- ISO 27001:2017 for Information Security Management;
- ISO 9001:2015 for Quality Management System.
So, why should you trust a company that is ISO 27001:2017 certified for your projects?
ISO 27001:2017 sets the international standards for information security management systems (ISMS). According to their official website, these standards enable “organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.”. It’s important to mention that ISO’s purpose isn’t to dictate what an organization’s objectives should be. Or how the organization should achieve them. ISO’s purpose is to define the overall standards on a specific matter, but it’s up to each organization to choose how it reaches them. ISO 27001:2017 shows that your data (the client’s data) is in safe hands with that organization. Or, in other words, the chances your data could be hacked are very low.
Organizations with this certificate have proof that they are focused on continuously improving their security measures, that they develop plans and analyze the potential risks before performing any actions, and that their employees are involved in the process of keeping everything as secure as possible. They are aware of the consequences of their actions and they prioritize security in everything they do. Their communication is on point when it comes to security related situations and their leadership is actively involved in keeping the established security measures at the highest possible standards.
Think of it like this: your data is Rapunzel (before she grows her hair so long that it can be used as a stair to climb down the tower) and the organization’s security measures are the tower. Basically, your data has no chances to escape. Unless it will grow its hair so long that another person will have the ability to climb and help her escape the tower).
Now, let’s briefly see what are the requirements for ISO 27001:2017. So, through this certification, you can trust that a company has:
- A clear understanding of its purpose and context;
- A clear understanding of their client’s needs and expectations;
- A well defined scope in regards to the Information Security Management System – the auditor wants to see if it is clearly defined who or what areas of an organization have access to what kind of information and why;
- A committed leadership who is involved in all aspects related to information security;
- An information security policy established by the top management / leadership;
- Well defined organizational roles, responsibilities and authorities – this doesn’t mean that there should be only one person for one specific role, but it does mean that it is clear for each employee what they can or cannot do and why;
- Clear actions through which they address risks or opportunities;
- A number of information security objectives and the plans to achieve them;
- Qualitative resources that participate in the organization’s efforts to implement, maintain, and continuously improve the information security management system.
- Competent employees – well trained, educated, and prepared to activate in their fields of work;
- Increased level of awareness in regards to the information security management system. People working in that organization know and comply with the information security policy, are aware that they are a part of the information security management system as well and that their contribution to keeping its standards up is needed. And, they know what happens in case the information security management system doesn’t meet the requirements;
- Good communication – as it’s important to have everyone in your organization know about what’s up with the information security management system, not just the information security expert;
- Documented information, where the organization should clearly state how the information security management system works and why is it capable to achieve the wanted results;
- Clearly defined plans that ensure the outcomes of the information security management system are achieved;
- Well defined intervals for performing information security risk assessments;
- Plans in regards to information security risk treatment where they include the documentation stage of this process – if you are asked to document the process when it comes to risk treatments, it forces you to apply your risk treatment plans;
- A procedure on monitoring, measurement, analysis, and evaluation, to check how the information security management system is doing;
- Intervals during which they perform internal audits to check the status of the information security management system, if it still correctly implemented and if still meets the ISO standards;
- Planned management reviews – where the senior management must check if the information security management system is still effective and if it still contributes the helping the organization achieve its goals;
- Plans to act in case of nonconformity – so, in case the organization does something that doesn’t comply with the ISO standards, the organization is prepared to act and make the needed corrections;
- A focus on continual improvement.
These are a lot of points to tick, but we’re glad to say we’ve been complying with all of them for a while now. It’s proof that we always keep an eye on having everything secure and sound while being busy with developing and providing high quality products and services. We’ve just briefly tackled every requirement, but you can check them out in more detail on ISO’s official website.
As mostly every field transitioned to the digital world, working with an organization that has a public commitment to keep its security measures at the highest possible levels (and can also prove this fact) should be on your “must-do” list. You know that saying “Keep your friends close, your enemies closer, and your data 100% secure”? Neither did we up until now, but it should be more popular.
Article written by: Ruxandra Mazilu