We’re ISO 27001 certified. Here’s why you should care.
ISO 27001 is an international, globally recognised, information security standard. It’s published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). It’s intended to bring information security under management control by taking a risk-based approach. ISO 27001:2013 (which is the current version of ISO 27001) provides a set of standardised requirements for establishing, implementing, operating, monitoring, maintaining, and improving an Information Security Management System (ISMS).
What are the benefits of ISO 27001 certification?
ISO 27001 provides a framework that helps Flux to:
- Protect client and employee information
- Manage and minimise risk exposure
- Comply with various contractual and regulatory obligations, like the European Union General Data Protection Regulation (EU GDPR), Payment Card Industry Data Security Standard (PCI-DSS), and others
- Build a culture of security
- Protect our clients’ and our own brand image
We’re pretty thrilled to be certified because we believe it provides the right level of assurance for our existing and future clients, especially during a time where data privacy is so topical. It’s our way of showing our clients and their customers that Flux has been taking a methodical risk-based approach to securing our platform. Our clients and customers can be confident that information security is regularly discussed by the Flux leadership team.
What was the ISO 27001 certification process like?
A total breeze. Jokes. Firstly, there were some mandatory requirements that we had to comply with. How long the certification takes depends on the maturity of a company, and we got ours pretty quickly because we’ve always been dedicated to a high level of information security. We were audited by an accredited certification body last February which took about a week, and there were almost 0 finds: this means we got a gold star and that our data security processes are solid. And this is something I noticed when I started working at Flux at the end of last year: people here were already very security aware and were following high level security processes, which made my job easier. Management was always discussing security, and almost everyone joined in on the conversations in the Security and Privacy channel on Slack. The role I played in the certification process was to basically ensure we were documenting what was being practised. I defined security roles and responsibilities, maintained a risk register, defined and measured security objectives against KPIs, tackled audit findings, and documented and communicated all things security.
But our commitment to information security doesn’t stop with the certificate. We have to comply with surveillance audits every year, to make sure that we don’t get sloppy and stick to the program. Every three years, we’ll get issued a new certificate, but we’ve got to go through a re-certification process, which is fine by me, because I know we should pass with flying colours.
