Exadel recently passed an audit to be certified for its information security management system (ISMS). We should receive the formal ISO/IEC 27001:2013 certificate by the end of April.
About Information Security
Information security is the defense of information-related business assets against threats. These include:
- Unauthorized access to personal information
- Disclosure of confidential information
- Losses due to fraudulent activities
An information security management system (ISMS) is a consistent comprehensive approach throughout an organization for protecting its information assets. Given how critical information assets are to any business in today’s globalized digital economy, a proper ISMS has to be an important part of any company.
The International Standards Organization (ISO) provides a formal blueprint called ISO/IEC 27001:2013 for creating the best possible ISMS. We used this standard to raise the level of our ISMS to the highest possible level. Now, the ISO has certified this accomplishment for Exadel.
What This Means for Exadel
Our ISO-certified ISMS provides many benefits. Inside our company, we use the best practices and processes from the standard to reduce the cost for security incidents and to generally maintain a secure company culture. And, additionally, our ISO security certification communicates to potential clients that their assets are always safe with us and also that we are the sort of company that can be generally trusted because of our careful attention to systematically following proper standards in how we run all aspects of our business. This certification differentiates Exadel as a member of a very select group of companies.
The Road to Certification
ISO 27001 certification is a long and effort consuming process. More than 100 separate technical, management, and organizational security controls have to be implemented to various degrees, based on the results of a risk analysis process.
Exadel succeeded in this process because of these key factors:
- Close participation by top-level management
- Starting out from the beginning with a proper setup including (1) organizing a core IS team as part of a more broadly based IS committee and (2) treating all certification activities as part of a formal project with all the aspects of any other client project (budget, deadlines, responsibilities, etc.)
- Involving a professional IS consultant in establishing processes
Of course, along the way, there were some more light-hearted moments. One required exercise was demonstrating the secure destruction of some physical media (in this case, broken hard drives). Some of our staff members got to run out to a nearby forest, hammers in hand, to do their part for ISO certification.
Many thanks to Alexey Evmenkov, our information security consultant on the project, who provided information for this article.