ISO 27001 is an international standard for information security management systems. We are working towards ISO 27001 certification in an effort to continuously monitor and improve our information security around our application and the data we hold for our customers.
Our first core value at HROnboard is a Disciplined Approach – being masters of our craft and building repeatable engines and processes. For us, ISO 27001 is a natural extension of being Disciplined – “do what you say and say what you do”.
Data security is the most important part of our responsibility to customers at HROnboard. Our robust product and helpful customer support are nothing if we cannot keep our customers’ data safe.
In this article I’m going to take you through the steps HROnboard needs to take to become ISO 27001 certified. ISO 27001 certification will hold HROnboard to international standards of data security, giving our customers the reassurance their data is protected.
HROnboard holds the data of other businesses, which holds us to more stringent security guidelines than holding consumer data. There is already greater data security standards for B2B companies than B2C. An example of the difference is the Ashley Madison hack from last year. Ashley Madison held consumer information and had no legal obligation to be more secure, despite the sensitive information their website held. We know how important our customers’ data is to them. As we grow, we’re looking at more ways to make our
We know how important our customers’ data is to them. As we grow, we’re looking at more ways to make our data even safer. Here are the steps HROnboard is taking to reach ISO 27001 certification, to reassure our customers with an internationally recognised level of information security:
Defining the scope of our information security management system (ISMS).
Every organisation’s information security requirements are different. The first thing HROnboard will need to do is define the scope of our ISMS. Identifying where data enters, is stored when not in use, and how it is manipulated are all parts of the scope that must be included in ISO 27001. It must also be noted that an ISO grade ISMS does not mean an organisation is ISO 27001 certified. An ISO standard system must undergo the ISO 27001 certification process before the organisation can hold the title.
It must also be noted that an ISO grade ISMS does not mean an organisation is ISO 27001 certified. An ISO standard system must undergo the ISO 27001 certification process before the organisation can hold the title.
Management and leadership support
The traditional route for ISO 27001 is for a team to create a business case for certification, and implementation to commence after management approval. Everyone at HROnboard supports the pursual of ISO 27001 certification. Although there was top-down support from the beginning, ISO certification still requires proof management supports the move.
A record of management decisions is another mandatory document for ISO 27001. Proof is also required that managers are designing policy in line with ISO standards, and will maintain those processes into the future.
Securing the inventory of assets
An inventory can be anything from physical stock to a database. The value of the inventory, what business processes depend on it, must be recorded in manditory documentation. In the case of HROnboard, all of our business processes depend on the security of our inventory. All records of assets regarding inventory need to be recorded, including:
- Type of asset
- Location
- Backup information
- License information
- Business value (Which business processes depend on the inventory)
Although transactions through HROnboard are not a physical product, we still regard HROnboard as having an inventory. Tying all business processes back to our inventory will ensure the security of our customers.
Risk Assessment
Anyone in HR or IT will be familiar with risk assessment. The data security measures pertaining to ISO 27001 certification puts measuring risk at the centre of safe information systems. A guide needs to be constructed that outlines the appropriate management action and priorities for managing information security risks. Controls are put in place to reduce risk and respond to changes happening in the information space.
An example of risk assessment is having employees change their passwords every couple of months. Employee passwords and login practices are one of the weakest barriers against potential breaches. Creating company policy around best security practices encourages employees to change their passwords regularly and keep their user accounts secure.
Statement of Applicability
The Statement of Applicability (SOA) lists the information security control objectives and controls. It is the final piece of the ISO 27001 process, being the result of:
- The selected risk treatments
- Relevant legal and regulatory requirements
- Contractual obligations
- A review of the organisation\’s business needs
- Proof the requirements have been carried out.
The SOA sets the organisation up for ISO 27001 certification and lays the groundwork for the Risk Treatment Plan. The SOA will also be referred to after ISO 27001 certification as the guidelines for staying compliant with the standards established by ISO.
Risk Treatment Plan (RTP)
The RTP is a culmination of the risk assessment step and the Statement Of Applicability. The RTP identifies the management actions, resources, responsibilities, and priorities for dealing with information security risks. The methods for risk treatment will be congruent with the SOA, as risk treatment must fall in line with the organisation\’s information security policy. Approaches to risk management are context specific to each organisation. We will develop our own strategies that make the customer information we handle secure.
Mandatory Documentation
There are over 15 documents that must be produced for ISO 27001 certification. These range from documentation proving management have developed policy supporting ISO 27001 practices to the RTP that shows how risk will be managed. The inclusion of security metrics has become part of ISO 27001 certification since 2013. Each organisation undergoing certification must include performance evaluation to measure the effectiveness of the proposed information security measures.
The certification process
ISO 27001 certification is performed by an independent third party, not ISO themselves. We will have to get a recognised ISO certifier to assess our processes and the mandatory documents for ISO 27001. They will ensure our documents cover the necessary areas of ISO 27001 certification and that our proposed practices are of the same standard. Corrective action will be taken on any documents or processes until they are up to ISO 27001 standard. Even after certification, continuous improvement is required to maintain the certification. We will need to review and monitor our ISMS on an ongoing basis to ensure it is compliant with ISO standards. Information security is an ever-changing landscape, and constant changes must be made to minimise risk.
What does ISO 27001 mean for HROnboard customers?
Moving towards ISO 27001 certification will have no experiential effect on our customers. Customers will have the same access to their information that they always had. What will change is the way we assess, monitor and improve our information security processes meaning all HROnboard customers can be assured we are following internationally recognised standards. Watch this video to see HROnboard in action, and how it can help your organisation.