The International Standard for Information Security: ISO 27001
With cyber-attacks on the rise, and companies increasingly looking to work internationally, a common consideration is whether the ISO 27001 certificate is worth obtaining. The ISO 27001 certification is an end-to-end Information Security Management System (ISMS), established by the International Organization for Standardization, and should interest any company wanting to abide by international norms, and demonstrate that their security system is intact. The certificate acts as reassurance for partners, clients, and third parties abroad that your company will securely handle any information they share with you. This year, in Be-Bound’s case, it became clear that the certification would be required if we wanted to work with certain clients (big corporations, payment companies, etc), so we decided to undertake the process. Here’s some of what we learned.
What is the ISO 27001 Certificate ?
The security certificate ISO 27001 was created in 2005, and is meant to verify that an information security management system has been implemented across the business regarding any sensitive areas: financial data, intellectual property, personal information etc. Before the certification can be validated and recognized globally, there are 114 security measures that must be put in place. ISO 27001 helps to preserve three principal objectives: the confidentiality, integrity, and availability of critical business assets (also known as the CIA triad).
- Confidentiality = Limiting information and access to authorized users (and preventing unauthorized users)
- Integrity = Maintaining & Assuring the accuracy and consistency of data throughout its life-cycle
- Availability = Availability of Information Resources
What is Information Security?
Information security can refer to anything from how employee information is retained, to how remote workers deal with their laptops/USBs, to how the company headquarters are secured physically, and more. In fact, information security intersects nearly all areas of business, and for that reason the ISO 27001 defines 11 categories that businesses can use as a tool to help create and implement their plan:
1. Security Policy
2. Organization of Information Security
3. Asset Management
4. Human Resource Security
5. Physical & Environmental Security
6. Communications & Operations Management
7. Access Control
8. Information Systems Acquisition, Development and Maintenance
9. Information Security Incident Management
10. Business Continuity Management
For Startups Dealing with Personal Data and Security
The ISO 27001 ensures security and added value to startups working with data internationally. In The World Economic Forum’s Global Risk Report 2017, large-scale cyber-attacks and massive data fraud/theft are listed as technological risks that have the potential to cause significant negative impact within the next 10 years. User data can be lucrative information for hackers, and cyber-criminals are becoming increasingly adept. Consequently, organizational mindsets are moving more towards a preparation mentality, preparing for the inevitable “when” there is a breach, rather than “if” there is a breach. In Be-Bound’s case, our company primarily deals with personal data, a critical aspect of information security, especially regarding mobile payments and handling user’s financial data. It’s best to be prepared.
Security is only as good as the weakest link, and undergoing the ISO certification process allows a business to identify and manage their risks ahead of a crisis. Putting safeguards in place against such attacks, and incorporating security standards so that they can streamline into the way you do business, is the best defense possible.
How To Get Certified
Today, there are 27,536 organizations that have an ISO 27001 certificate. To receive the certificate, a business must go through several steps. First, define their own scope of what will need to be secured, according to their business activity, and because every business is unique, each business needs to create their own customized ISMS (there is no duplicable version).
Once the system is created, an internal audit is done, followed by an external audit of the business processes, to confirm that all elements of the implemented system work together to ensure the best level of security controls. A business that obtains an IS0 27001 has successfully shown that it understands what information it needs to protect, and how best to do so according to their business activity. The drawback is that the certification process is long and costly (taking on average up to 8 months to 2 years, and costing 8,000 Euros), something which is not exactly adapted for startups looking to work abroad in a more immediate timeframe.
Self-Declaration of Conformity: An Interim Measure
In our case, Be-Bound opted to prepare a self-declaration of conformity: a statement of the applicability of our own security. Rather than taking 2 years, a self-declaration is free, and can be done in 6 months.
To start the process of a self-declaration, we invited Sara Nait Ouslimane, a student from the University of Technology of Compiègne, to join Be-Bound for a 6-month internship to manage the first steps. Sara worked with Michel Henzel, Be-Bound’s Project Management Officer, to create a tool that enabled us to do an internal audit and measure the progress achieved.
At this point, once our internal self-evaluation is 100% complete, we will arrange with one of our partners to send a selected expert to then audit our self-evaluation, and confirm that all 114 measures are being respected. This official internal audit will allow the company to fulfill the ISO 17050, which will soon evolve into the ISO 27001, and is enough proof to allow the company to work and communicate freely with partners and clients abroad. With the ISO 17050 in place, third parties can trust that you are taking serious precautionary measures, and on your way to obtaining the higher level certification. For Be-Bound, the self-declaration is a temporary first step, while we await our official certification which we expect to be completed by end of 2018.
What impact will a security certificate have on the future of our business and our organization internally?
Fulfilling a recognized norm gives companies a significant competitive edge, and opens doors to new markets and new potential clients that were previously inaccessible without a certificate. For any company that obtains the ISO 27001, it is a measure of reliability, and quality, giving potential partners and clients a reason to trust you above the competition. The ISO 27001 certification is valid for 3 years. Even though a certification is a significant undertaking, it’s doable for startups, especially thanks to the option to self-declare as a first step.