We are pleased to announce the successful audit for ISO 27001 and ISO 27701. From now on, we have a confirmation of compliance of our information security and confidentiality management system with global quality standards. It took us more than nine months to prepare for the audit.
What are ISO 27001 and ISO 27701 certifications?
ISO 27001 and ISO 27701 certifications are standards of information security and data confidentiality. They are introduced to standardize the processes of obtaining, processing and storing information by controllers and processors of personal data.
Each standard contains a list of policies, practices, requirements and controls that must be implemented in the organization. The implementation of all these do not guarantee that the security system does not have vulnerabilities, but it does guarantee that the company approaches security issues systematically, and adjusted the processes to work with related risks.
According to the standard, the company's information security system must demonstrate its ability to protect its information resources.
By the way, the ISO 27001 standard (in its general part), contains similar requirements to the ISO 9001 standard.
The requirements of the ISO 27701 standard are closely intertwined with the requirements of the GDPR, so the audit of ISO 27701 demonstrates that the methods of data handling and protection in the company Ethicontrol are at the appropriate level. And we, in turn, were guided by the GDPR in setting the requirements.
Here is an example of requirements only for the availability of documentation:
- Scope of the information security management system (clause 4.3)
- Information security policy and tasks (paragraphs 5.2 and 6.2)
- Risk assessment and processing methodology (clause 6.1.2)
- Declaration of applicability (paragraph 6.1.3 d)
- Risk processing plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (paragraph 8.2)
- Defining security roles and responsibilities (paragraphs A.7.1.2 and A.13.2.4)
- Inventory of assets (paragraph A.8.1.1)
- Access control policy (paragraph A.9.1.1)
- Operating procedures for IT management (A.12.1.1)
- Supplier security policy (paragraph A.15.1.1)
- Incident management procedure (paragraph A.16.1.5)
- Business continuity procedures (paragraph A.17.1.2)
- Internal audit program (paragraph 9.2)
- Log of user actions, exceptions and events in the security system (clauses A.12.4.1 and A.12.4.3)
What does this mean for our clients?
That Ethicontrol will be annually audited by an independent third party (auditor) for the availability and effectiveness of the two systems:
- information security management systems, including a comprehensive information security system;
- personal data management systems and protection of their confidentiality.
In practice, this means that
- Ethicontrol's information security risks are lower than of those who do not think about it or do not have the appropriate certification;
- An information security officer, a number of additional controls and security systems (such as the WAF Active Web Firewall) and other things that can sometimes make life difficult, including for users of the platform, have appeared in Ethicontrol;
- It should be easier for our business customers to persuade their colleagues within the company to outsource a number of business processes to Ethicontrol or use a platform hosted in our secure cloud;
- The information security departments of our clients have something to read and someone to communicate with professionally if necessary;
- Ethicontrol processes and stores personal data in accordance with the requirements of industry standards GDPR, especially for cross-border data transmission. That is, our customers who have divisions in different jurisdictions can rest assured about the transfer of data between them through Ethicontrol system.
We have also updated our privacy policy. You can read more about this in the Privacy and Personal Data Policy, the Security Center section of the website.
We created a separate data room for exchanging security documents with customers, including the copies of the certificates and other respective documentation. Our customers can request access from accounting managers.
Photo credits: Tima Miroshnichenko from Pexels
Photo by cottonbro from Pexels