BLOG
Insight to All Things Currency and Treasury Management

From industry magazines to news outlets, information security continues to be one of the most discussed topics in the business world, and for good reason.

Any company immersed in technology lives and breaths in a world where an enormous amount of information is both available and exchanged every minute. While this allows companies to compete on a larger scale, it can also raise the stakes, requiring a new level of best practices for a number of processes, including information handling and protection.

As a growing SaaS company, we knew we faced many of the same data handling challenges as many other corporates in the tech and finance spaces (including competitors and beyond). With a goal of always staying ahead of the curve, we also knew that information security was an area we definitely wanted to focus on.

In an effort to further that goal and more, to continue our commitment to excellence, we decided to get an ISO/IEC 27001:2013 certification. What’s more, we knew that obtaining our certification, even to a level surpassing what many other companies choose to do, would have a positive impact in a number of ways:

1) It drives clear, crisp communication around our information security enterprise-wide:

As part of the certification process, leadership’s commitment to information security management is gauged. Things like bringing the standards into day-to-day business processes, communicating them with team members, and ensuring that there are available resources to learn more are all factors that are taken into account. In this way, the certification ensures that key implementation stakeholders, as well as the rest of the organization, understand what the company is being held accountable for, how it’s being benchmarked, and who they can go to with questions.

 

2) It elevates safeguards and protection efforts to spaces beyond the data center:

While we have always had extremely stringent data protection policies for our data centers, the certification acts as a “double check” on processes beyond those walls. It encompasses standards for areas like leadership’s separation of duties, business continuity, disaster recovery, documentation, etc. Not only does this ensure a communicated plan in case something should go awry, it also acts as a catalyst for periodic discussions around responsibilities, updates and accountability.

 

3) It reinforces our commitment to maintaining excellence:

While the certification does require a certain amount of prep (performing a self-assessment, organization, etc.), it acts as a clear set of standards that will allow for continuously strong information security habits. In other words, it goes beyond following best practices to striving to perform as close to optimally as possible.

 

What exactly is the ISO/IEC 27001:2013 certification?

In a 2014 CIO article, Steve Durbin, managing director of the Information Security Forum (ISF), called for companies to “…make positive security behaviors part of the business process, transforming employees from risks into the first line of defense in the organization’s security posture.” For us (and many companies like us), the ISO/IEC 27001:2013 is an effective step towards getting there.

The ISO/IEC 27001:2013 is a certification earned by meeting the International Organization for Standardization (ISO) requirements for superior information security. In short, the ISO defines it as standards that “…will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.”

While the standards are extremely robust, they specify important requirements focused around creating an effective Information Security Management System (ISMS)— a well defined set of processes and procedures for managing information asset risks and mitigations.

Although certification is not done directly through the ISO, there are a number of bodies— such as BSI Group— that can award the internationally-recognized certification to help safeguard data.

“Information is critical to the operation and, in extreme cases, to the survival of your organization,” the company explains on its “Information Security Management” brochure. “Using an Information Security Management System (ISMS) and certifying it against the ISO/IEC 27001 will help you to manage and protect your business information.”

Getting ISO/IEC 27001 certified isn’t the simplest of tasks. There’s preparation, communication and maintenance that goes into ensuring a strong and evolving ISMS. But for us (and many companies like us), this was another way to prove our commitment to our partners and more, to take another step in our continual pursuit of excellence— both internally and with our customers.

For more information on the ISO 27001:2013 certification, visit www.iso.org.