ISO-27001 certification
Customers are rightfully concerned about entrusting their sensitive data to third parties.
And while Interfax Communications Ltd., developer of ShieldQ, has always maintained a hardened information security management system (ISMS) to protect customer data from any internal/external, deliberate/accidental threat, the company has taken it a step further, achieving the coveted ISO 27001 certification through Certification Europe.
ISO 27001 is the internationally recognized and respected standard that determines if a company is following information security best practices. This completely neutral standard applies an exacting, risk-based approach to determine the security of data in an organization, assessing IT structure, processes and people.
Certification is not mandatory: companies who want to assure their customers of data security undergo the stringent audit, which can make the difference between instituting best practices and processes to ensure maximum customer data protection, and having a security system that is not fully optimized.
Very few companies actually achieve ISO 27001 certification. According to ISO.org, only 27,536 companies worldwide were certified in 2015 -- among them Xerox, Pfizer and Vodafone. Others may rely on ISO 27001 certification of external datacenter companies, and do not certify their own systems.
Achieving such certification makes ShieldQ the only multichannel data management/storage service that ensures the security of customer data, inside and out, through its accreditation with ISO 27001 and PCI DSS Level 1 standards.
How is ISO 27001 assessed?
Only authorized organizations like Certification Europe can grant ISO 27001 certification, after an expert assessment that data is protected in a satisfactory manner.
The three-stage process comprises:
Stage 1: an informal review of the ISMS to ensure that key documents exist and are updated, including
- A corporate security policy
-
A risk treatment plan
-
A statement of applicability (how you implement a large part of your information security)
Stage 2: independent testing of the ISMS against the requirements specified in ISO/IEC 27001. Once the certifying body has determined that a company’s ISMS, processes and people meet ISO 27001 standards, the company is granted certification for three years.
Stage 3: the company is subject to follow-up reviews or periodic audits to confirm that the organization remains in compliance with the standard. The cycle is repeated after three years.
What’s the difference between an ISO 27001-certified company, and one that does not certify?
The table below describes how data is protected in an ISO 27001-certified company like Interfax:
Interfax: accredited company Invests in an ISMS, securing critical customer data |
Non-accredited company No ISMS, hoping for the best -- but risking customer data |
|
Keeps confidential data secure | Prioritizes investment in infosec best practices and certification |
Without a proper ISMS, the system can be a “leaky bucket” |
Enables secure info exchange | Audited, secure communication channels | No way to tell if it’s secure |
Ensures meeting legal obligations (EU GDPR) | ISO 27001 prepares organizations for GDPR’s strict rules |
It only takes one exposure to get slapped with hefty GDPR fines: up to 2% of annual worldwide turnover. |
Helps company comply with other regulations (PCI DSS) | Similar security standards makes it easy to comply with PCI DSS’s credit card security regulations | If not compliant, companies must begin a lengthy, costly investment in securing systems |
Ensures consistent service delivery | ISO 27001’s requirements ensure no disruptions in workflow | Without proper controls, there may be disruptions |
Builds a corporate security culture | All staff is trained and tested in info security and data protection to ensure every interaction is handled with maximum security measures | The human factor is the weakest link in any organization Verizon Data Breach Report 2017); not intentionally, but through ignorance of sound IT protocol |
Non-accredited companies don’t find out about these errors til months, or even years go by, because too often, the culprits are “trustworthy” staff, who’ve gotten undeserved permission to handle sensitive data | ||
Manages and minimizes risk exposure | Because ISO 27001 takes a risk-based approach, it forecasts potential risks and ensures we are prepared to handle them | With no formal process in place, these companies could be headed for a breach |
To see or download a copy of Interfax’s ISO 27001 certification, click here.
For more information on the ISO 27001 standard, click here.