How to get the ISO 27001 security certification?
PayFit’s experience
Becoming certified is always a difficult task, especially for a young company. Often seen as a lengthy and costly endeavour, the process is also not straightforward: where do you start? Do you need support? It’s a complicated process given that security has now become a crucial issue for companies, whatever their size and however long they’ve been around.
At PayFit, we started the process of obtaining ISO 27001 certification in 2018*. We received it two years later, in September 2020. It took us some time to understand how to get started on such a complex subject. At the time, there was no feedback from companies similar to ours or good practices that we could draw on.
So today we are sharing our experience and advice to those who would like to embark on this adventure. Guillaume Gohin, Head of Information Security, spearheaded the process of obtaining the ISO 27001 standard at PayFit and is giving us his thoughts today.
*What is the ISO 27001 certification?
The ISO 27001 certification is an international standard for information system security from the ISO (International Organization for Standardization). Its purpose is to protect the company from any loss, theft or corruption of data, by protecting computer systems from breaches or damage. In addition to technical measures, it also provides best practices for 360-degree security.
Why did PayFit decide to get the ISO 27001 standard?
At PayFit, security is one of our major development challenges. It is an integral part of our product. Due to the very nature of our business, namely payroll processing, we handle sensitive, personal and confidential data. We must guarantee and deliver a safe product.
“Since safety is part of our product, it must be an integral part of all of our work projects and corporate culture.”
PayFit continues to grow strongly in Europe. Today, we are in 5 countries and work under different legal systems. We are also serving more and more customers, of ever-increasing size. This meant that we needed a framework which would allow us to organise all our operations with a standard level of security.
How did the process start?
We started researching the possibility of obtaining certification at the end of 2018. It wasn’t enough to just say it anymore. We wanted to go further than vague statements and vouch for the reliability of our safety systems with a standard.
The ISO 27001 standard is internationally recognised and covers more than 150 control points. It certifies all of a company’s products and services without exception. It covers not only the security of an application or product, but that of the entire organisation. This made it particularly appealing.
We made a “benchmark list” of companies that would have taken this approach and could advise us. Unfortunately, there is not a lot of information available on this topic. So we knew that we would need support from a third party. At the beginning of 2019, BSI Group, a certification body, started to provide us with their support in this process.
What were the main steps in this process?
There were 5 main steps:
- in-house training;
- creating and filling in the basic documentation;
- practising with a mock audit;
- passing the level 1 documentation audit, called “stage 1”;
- passing the level 2 audit, called “stage 2”.
Step 1 — In-house training (5 days)
To begin with, in-house training was our priority. The recommendation is for at least one person in the company to undergo training to be able to perform an audit.
At PayFit, two of us completed the 5-day training with BSI Group. Anne-Flore de Belenet, Legal Director, and I have obtained the highest security certification, “ISO 27001 Lead auditor”.
Step 2 — Documentation phase: completing the strategy and operational checks (1 year and a half)
From June 2019, we created the fundamental documents that formed the basis for our day-to-day security following the ISO 27001 standard. In concrete terms, these documents include 114 specific and highly operational checks, divided into 9 major policies:
- general security policy;
- security of operations;
- development security;
- incident response plan;
- information system manual;
- business continuity;
- relations with suppliers;
- access and resource management;
- physical and equipment security.
For us this involved, for example, setting up a procedure for the arrival of new employees, creating a security training plan for employees, etc.
The company has to tick off these 114 checks to be able to move on to the next step. They also mean that you can define the safety policy and carry out a full risk analysis in the organisation, for all roles and operations.
To be certified, you must pass two audits. The first one concerns the company’s documentation and constitutes level 1, known as “stage 1”. Then, the level 2 audit, known as “stage 2”, will check whether the company’s processes and organisation correspond to the established documentation.
During these inspections, there are 3 types of anomalies:
- Observations: the auditor gives advice to improve a point, but this remains informative.
- Minor anomalies: the audit is not compromised, as long as the company commits to correcting the anomaly, giving a plan for correcting it (who is going to be involved, when, how, etc.). Several minor anomalies can turn into major ones.
- Major anomalies: the company does not pass the audit.
Step 3 — The mock audit, comparing our documentation with reality (after 6 months of audit preparation)
Before the level 1 audit, we organised a mock audit with BSI Group. We then simulated a level 2 audit to assess our progress. Until then, we had focused a lot on documentation, but it was still very theoretical and we wanted to test ourselves in practice. This simulation proved to be extremely useful and allowed us to take stock of our progress. Then we took and passed level 1 in June 2020.
Step 4 — The “Level 1” audit, presenting sufficiently solid documentation (6 months)
We started to get ready for the Level 1 audit in January 2020. This initial step had two specific goals:
- to improve processes, see what is missing and make a new plan to reach the required level. Together with the auditor, we looked through all the basic documents that had been created, to make sure that they matched the requirements of the standard;
- presenting the results of all the work carried out to management during a “Management Review” (including the mock audit). In concrete terms, this is a meeting with all the department heads, where you present the different policies put in place and the performance indicators, the success of the actions implemented until now and everything that still needs to be done: everything that may require their validation as well as their support.
At PayFit, we have had the full support of management who have been very proactive in helping us. As they work closely with the teams, the project has been driven by a shared will to implement the proposed changes, as well as by the agility that is ingrained in PayFit’s DNA. It therefore turned into a company-wide project with top management, and a project for the teams with clearly defined objectives.
Step 5 — The “Level 2” audit, obtaining certification through 150 checks (4 months)
The second audit took place at the end of July. It took place across all company sites, which for us meant in the four countries where we are present (Germany, Spain, France and the United Kingdom). The auditor then compares the documentation with the work in the field to assess the company’s practices across the 150 checks, as required by the standard. We look at the evidence together, check by check. For example, we analysed our processes and security measures throughout the development cycle of a feature. We also reviewed the access and materials available to an employee, selecting a few employees at random.
If I’m honest, these were stressful times. For two years, we worked on putting all the processes in place in order to get the certification, and we would have been very disappointed had our efforts not borne fruit. We finally got it in September 2020.
Once you get it, what can you expect from this certification?
Getting the ISO 27001 certification is fantastic news. First and foremost, it has an incredible external impact. Being able to display the certification allows us to change our image by showing that PayFit is growing while becoming stronger and more mature. We move from vague assertions to very concrete evidence of our commitments. It provides a guarantee to all the company’s stakeholders that they are working with an operator which is fully committed to security: customers, service providers, partners. This will definitely have an impact on winning over new customers. When they are looking to choose a service provider to manage their payroll, security is a decisive factor for them.
Internally, being certified requires and demonstrates a strong will to make a long-term commitment to security issues.
So what do you need to do to keep this certification over time?
The information system is audited at a given moment, but that doesn’t mean that the company won’t continue its efforts. For example, it sets itself objectives during the audit, such as increasing the use of certain tools. There is a full audit every three years, with a check every year.
“If you fail these “light” checks, then you immediately lose the certification”.
Today, all our employees are trained in security, on their first day and at least once a year. It is a mandatory process, but I find it extremely healthy and positive. Having specific training in security and usage highlights its standing in our organisation. It becomes an issue for the whole company and for every employee, not just the IT team. This is how we support and improve the level of security within the company.
We make sure that everyone understands how a breach of procedures can affect the whole company, how everyone contributes to the availability of our product, etc.
What was the most complicated step?
The initial documentation step was the most difficult for us. We had to write down all the actions that the company was going to implement to comply with the full standard. We were faced with a mountain of documentation and theory. Setting up this kind of project is a long and tedious process, especially as we had little experience in this area!
In general, the “change management” stage is extremely complicated in companies, especially those with thousands of employees. If there is any internal pushback, the whole process of obtaining the standard becomes a lot more arduous. You are asking some teams to add to or change their processes and daily habits. So you need the management team and all the managers to support the project.
At PayFit, with 500 employees, we didn’t have this problem. In fact, the security team has a job to do like any other, and plays an equal part in the success of the company as any other role.
“The information security team doesn’t just have a control role, but it participates in the strength of the product and growth, in the interest of the business and the employees”. Firmin Zocchetto, CEO & Co-founder of PayFit
Do you have to make any compromises to get certified?
Obviously, when you decide to strengthen security processes, you have to give up some of your agility. More processes are put in place, especially for relationships with third parties (providers, partners, etc.). For example, when we work with a new service provider, we need to be assured of the security guarantees they provide. If they are certified, the process is very fast. If they aren’t, then it takes longer!
I actually believe that this is extremely positive and I don’t see it as a sacrifice. First of all, including security in your growth activities and in the organisation of the company is essential, especially when handling sensitive data by nature such as PayFit does.
Secondly, you have to know how to find the right balance between agility and security. For us, the balance is leaning towards agility and innovation, but with full security. People need to be able to take steps as quickly as possible, but not at any price. There is now a very clear line, which we take into account in every new project right from the design stages.
Guillaume’s advice for a smooth start to the certification process
1. Do things in the right order: do not start the certification process if security has not been a strategic issue before. The standard is there to approve an already-existing system. But if you go ahead without a system in place, you’ll have too much catching up to do.
2. There must be a will to commit the company to security issues on a long-term basis:
- Involving the founders and management in the process enables all the teams to be involved;
- make security a structural challenge for the company. These are not just boxes to be ticked. Security is a daily issue that is integral to all operations.3. Provide for an adequate budget: real and mock audits, support, tools, etc.
4. Put in place the tools necessary to receive the standard: such as the centralised management tool for managing equipment security (JAMF at PayFit) or background checks for new employees that you may not have been doing before (diploma, identity, previous experience).
5. Carry out a mock audit: this allows you to take stock of your situation and improve what needs to be improved before the big inspection.
6. Train your teams:
- have at least one person certified as an ISO 27001 auditor;
- train all employees in security.7. Provide communication on security issues: generally, people think that “security” only means “confidentiality”. For developers and tech roles, it means “integrity”. But not many consider the last part: availability. Ensuring that our application, product and service is available is, however, very much part of security guarantees. The 27001 standard also includes a business security and incident response section.
8. Make your certification visible:
- display the logo in email signatures;
- dedicate a page to security guarantees on your site;
- make sure your sales teams know about it: this is an asset that can be a decisive factor for some customers.
