How to Get ISO 27001 Certification – and What Your Customers Get Too
When I was a hired by xMatters I was given a very specific mission: ISO 27001 certification by March 2020. As an experienced project manager and knowing that the company already had a robust security framework in place, my obvious decision was to overcomplicate things.
Just in case you don’t manage privacy and security for a living, ISO/IEC 27001 provides requirements for an information security management system (ISMS). The ISO is a quality standard to optimize data governance and asset management, including personal identifiable information (pii), corporate security, intellectual property, employee data, and third-party vendors. An ISMS is the collection of policies, procedures, and controls for an organization’s information risk management processes.
Our customers have high standards for privacy and security, and we have always tried to exceed those standards. By doing so, we provide a better SaaS experience and give our customers a sense of confidence that their assets are safe. We also add value to our products and increase our competitive advantage. To have the best possible experience, our customers also need self-service access to important privacy and security information.
This is no small feat. It requires a careful balance between industry best practices, customer demands, and our strategic goals to create the Information Assurance Portfolio. The IA Portfolio includes two big programs: privacy and security. We chose to manage both projects simultaneously to save time and resources. This is a lot of work, so I suggest you write a project plan and be patient. Doing it well requires extreme attention to detail, and it takes time.
Here are a few suggestions for success, which you will read about below:
- Centralize management of processes and methods
- Work with a subject matter expert
- Obtain evidence of the results of your work that you can show to customers
- Provide self-service access to information
Centralize management of processes and methods
In case you thought privacy and security are the same thing, they are not. Privacy means doing enough to comply with legal standards for protecting identities, while security means keeping information safe and secure.
Managing many different projects that often share the same assets can get unwieldy and can lead to mistakes. So we centralized management of processes and methods for a more controlled environment and fewer errors. This is called Data Governance.
The xMatters security Program, to be finalized in March 2020, is composed of different projects with the following deliverables:
- ISO 27001:2013 certification
- Semi-annual third party audits for Security Controls
- SOC 2 Type 2 external verification program based on two principles: Security and Availability
- Maintenance of EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy
- Shield for HR data and client data
Work with a subject matter expert
The main objective of our privacy program is to demonstrate compliance with the most relevant privacy regulations. We hired a third-party subject matter expert to create a comprehensive privacy framework and conduct an eight-week in-depth audit of our documents, tools, website, and systems. The scope of this audit is in compliance with:
- General Data Protection Regulation – Europe (GDPR)
- Personal Information Protection and Electronic Documents Act – Canada (Pipeda)
- Australia Privacy Principles – Australia (APPs)
- California Consumer Privacy Act – California, USA (CCPA)
The idea is to grow the scope gradually and start the ISO 27701:2019 – Privacy Information Management Systems next year, as an extension to our ISO 27001 certification.
Obtain evidence of the results of your work that you can show to customers
When privacy verification is concluded, we will be provided an attestation letter given by an independent Privacy Manager and organized information in the format of a Privacy Code of Conduct and Artifacts that maps our compliance to each specific law.
This is beyond any requirements, and it gives our customers a sense of confidence.
A third program binds the other two together. It was named FAQ and our main objective is delivering more information internally and externally. Our Sales and Customer Success teams will have access to both privacy documents and an internal Security Q&A portal that we are developing.
Provide self-service access to information
We are also creating a public Privacy and Security page where clients will be able to find white papers, artifacts, and documents on ISO 27001 certification and other privacy and security topics.
This will speed up our ability to deliver more information and give clients self-service access. We will release white papers, articles, audit summaries, and certifications at planned intervals internally and in a new area on the xMatters website. This will give our customers the speed they need when they check on their privacy and security and show the transparency that confident, honest organizations do.
Do you have experience with ISO 27001 certification or other aspects of privacy or security governance? Let us know on social media. If you want a super-secure incident management platform, Get xMatters Free (forever).