We announced a little while ago that PageFreezer has earned ISO 27001:2013 certification. Now, unless you’re a compliance or IT security professional, you are probably wondering why it matters. Does it have any actual impact on the service you’re receiving? And anyway, aren’t all the vendors in our industry certified as well?
The truth is, they’re not. In fact, very few are. Some claim that they are compliant with ISO 27001 security practices, but merely being compliant is not the same thing as being certified by an independent, third-party audit (certification body). Earning ISO 27001 certification demanded a massive commitment from our company—the initial certification process took about a year and demanded that we look at all the security implications of every process within PageFreezer. Everything from email and password security to hiring, employee onboarding, business continuity, supplier relationships, the physical security of the workplace, and employee devices had to be taken into consideration. The ISO 27001:2013 standard consists of 14 sections that deal with no less than 114 specific controls.
But why does ISO 27001 certification matter? Why did we spend a year getting certified? Let’s zoom out a little and look at what ISO 27001 is.
What Is ISO 27001?
ISO 27001:2013 is an information security standard that is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies an information security management system (ISMS) that’s aimed at improving organizational security and integrating security into all aspects of managing a company.
In order to earn ISO 27001:2013 certification, a company is asked to consider the information security risks that it faces—specifically those vulnerabilities and threats that can place data and information systems at risk. Once risks have been (thoroughly) analyzed, the company then needs to implement robust and all-embracing controls to mitigate these risks. And that’s not the end of it; there are annual independent maintenance and surveillance audits that look for evidence verifying all procedures of the security management system are actually implemented, reassessed, reviewed and improved over time. In other words, certification isn’t a box that you tick once and forget about—it’s a long-term, ongoing commitment to information security.
Protecting What Matters
The reason we did all this work is simple: we want to protect our customers. By attaining ISO 27001:2013 certification, we show that we’re doing everything we can to protect the confidentiality, integrity, and availability of information, systems, and services. The controls we’ve implemented during this process ensure that information assets are protected from unauthorized access, that accurate and complete information is delivered by systems that are reliable, and that information is available when authorized users need it.
We monitor, capture, and archive data across websites, social media channels, enterprise collaboration platforms, and mobile text messages. So it goes without saying that a lot of the data we manage is of a sensitive nature. With breaches costing companies millions, even hundreds of millions of dollars, we see it as our duty to do everything we can to help keep data safe.
Certainty Is Power
Companies and government organizations depend on the records we create to prove compliance and ready themselves for litigation, so it’s crucial that the accuracy and authenticity of the data be beyond question. Through ISO 27001:2013 certification, we give customers the peace of mind that comes with knowing they’re relying on a secure archive.
For more information about security at PageFreezer, please visit our Security Page. Below I’ve also put together some tips for any company preparing to embark on certification:
- Create a dedicated team to manage information security requirements and oversee the implementation process;
- Do your homework, consult with experts, and give yourself the time to develop a thorough implementation plan;
- Realize that you’ll have to come up with your own continual improvement methodology; ISO 27001 gives guidance and recommends a process to develop an overall framework, but it doesn’t prescribe specific security practices;
- You’ll need to really consider the security implications of things like the larger context of your organization, relevant laws and regulations, and individual customer requirements in order to conduct an ISO 27001 risk assessment and identify your company’s security baseline;
- Take time to understand the scale and scope of the ISMS you’ll be implementing and how it will affect day-to-day operations;
- Implementing ISO 27001 from scratch typically takes 9 - 12 months (with a dedicated employee managing the process). Keep this timeline and the necessary resources in mind when doing your planning;
- Prepare to educate and train employees—and answer lots of questions.
Want to experience PageFreezer’s enterprise-level security features for yourself? Request a demo by clicking the button below.