To become ISO 27001 accredited, DEXMA went through extensive company-wide audits and has successfully passed all the necessary stages to obtain the certification. The ISO 27001 accreditation is the assurance that we have achieved a functional, structured, secure and scalable system and that quality and consistency are at the heart of our activity.
In a world of pervasive technology, the security of personal data has become an increasing concern for both individuals and companies.
Therefore, obtaining this certificate allows DEXMA to provide solid guarantees to their clients and partners that data is managed according to international best practices and that the company complies with the regulatory requirements such as General Data Protection Regulation (GDPR). The decision to pursue this accreditation also demonstrates great data-related risk awareness, consideration and safeguarding.
What is ISO 27001?
The ISO/IEC 27001:2013 is a leading international certification for Information Security Management that regulates information security in organisations. It was first published in 2005 by the International Organization for Standardization and then revised in 2013. This standard provides the route to follow in order to anticipate potential issues and keep data safe. It sets out the requirements for the implementation, execution, maintenance and optimisation of an Information Security Management System (ISMS).
To meet the Information Security’s main principles, ISMS is structured around three main axes: confidentiality (only authorised people can get access to data), integrity (ensure data remains accurate and consistent throughout its lifetime) and availability of information (data and systems must be available to authorised people).
Therefore, ISMS’ main purpose is to systematically reduce data-related risks across the organisation. It is important to highlight that controls should not only be IT linked. Indeed, they must take various forms as only the combination of technology, people and processes can provide an acceptable level of security.
In order to mitigate these risks and to increase information security, safeguards such as disk encryption, procedures, legal statements and employee training should be implemented.
The steps to set up an ISMS are the following:
- Identify the threats that could endanger the confidentiality, integrity and availability of information, through a risk assessment. To illustrate, the Magerit management framework, adapted to DEXMA identified 24 potential threats falling under two main categories “Errors and unintentional failures [E.xx]” and “Deliberate attacks [A.xx]”. In our case, the Magerit Information risk threats selected and to which a Risk Analysis was applied were “[E.1] User errors”, “[E.2] Administrator errors” and “[E.3] Login error”.
- Once the threats have been identified, select the appropriate control for each risk you can qualify as unacceptable. These controls can include Cryptography, Communication Security, HR Security, and Asset Management among others. (For the complete list, refer to Annexe A).
- Finally, apply a Risk Reduction Factor (RRF) also called Control Maturity Factor to each relation. The average value of all individual RRFs related to a specific threat becomes the weighted average RRF that is applied to inherent risk calculations where the specific threat is involved. Thanks to ISO 27001, this process can be done in a methodological and systematic manner, so that no nothing is neglected.
Why Implement ISO 27001?
There are many benefits and improvements that come with the application of ISO 27001, among which we can find:
- The Protection of Critical Data: with an ISMS, you reduce the risk that information is used improperly, is inaccurate or is no longer available.
- The Compliance to Legal Requirements: you will be assured of always being at the forefront of ever-tightening regulations including GDPR, NIS (Network and Information Systems) and the remaining legislation on cyber security.
- The Increase of Trust and Loyalty: your clients and partners are reassured that their data is secured and managed according to international best practices.
- The Benefit from an International Reputation: the ISO management standard is recognised worldwide and significantly strengthens your credibility beyond national borders.
- A Tailor-made and Suitable for any Organisation Certification: ISO 27001 is suitable for any company, regardless of its sector, size or type and is customisable to the specific needs of your organisation, hence reducing costs as unnecessary measures and tools will be eliminated.
Context & Scope of the DEXMA ISMS
Identifying your company’s context is a requirement that falls into clause 4.1 of the ISO 27001 norm. But not only…… In order to get a clear understanding of Information Security related issues (whether positive or negative) and to allocate resources where the best results can be achieved, it was thus essential for DEXMA to identify its organisational context from both an internal and external point of view. Internal factors fall under the direct control of DEXMA and included:
- Organisational Structure to help position the ISMS
It included Corporate governance, organisational structure, role and responsibilities and reporting relationships in ISO 27001. But also the form and depth of contractual relationships with other areas of the company.
- Available resources to guide the development of competencies and solutions
It included expertise and training in terms of resources and knowledge; Standards, Guidelines and management models followed by DEXMA.
- Organisational drivers to develop relevant supports
It included policies and objectives as well as the strategies established to reach them as well as DEXMA’s corporate culture.
- Organisational operations to know how processes are executed
It included information systems, information flows and interfaces.
Although external issues cannot be controlled, the company can adapt to them. External issues affecting DEXMA’s ISMS outcomes included:
- Various factors
Social, cultural, political, legal, regulatory, financial, technological, economic, environmental and market environment at the international, national and local levels.
- Market and customers trends
As trends are constantly changing, they can have an impact on the DEXMA’s business objectives. DEXMA must always be on the lookout.
- External relationships
It included relationships with third parties particularly stakeholders who have their own values, beliefs and perceptions that must be taken into account.
In the scope of DEXMA’s ISMS, we can find the deployment in the Production environment of new and modified programs and the technical operations of systems and IT management in the Production environment. Finally, the following business processes were included: Information security management (SEC001), Perimeter security (SEC002), IT production (SYS001) and IT deployment (SYS002).
How to Get your ISO 27001 Certification
What are the Steps to Getting Certified?
- Step 1: Preliminary Audit
Assessment by the auditors to determine the present situation on the company’s site. This is an optional step. This audit is carried out to compare the security level of your company’s ISMS with the requirements of the ISO 27001 standard, which will highlight the points of attention and areas for improvement before the next step.
- Step 2: Certification Audit Level 1
This first stage audit concerns the implementation of controls and procedures according to the requirements of the standard. If non-compliances are found, they will have to be corrected.
- Step 3: Certification Audit Level 2
Should you pass the first phase, the assessor will conduct a more in-depth audit. This second audit evaluates the implementation of the ISMS related procedures and policies in your company to ensure they comply with the ISO27001 standard’s requirements. Key members involved in the project will be interviewed.
- Step 4: Certification
Once your company has been successfully audited, it will receive the certification, valid for 3 years, subject to conditions. Indeed, your company must show continuous signs of progress in terms of safety and must also always be up to date and compliant with the standard.
- Step 5: Controlling Audits
During the first two years, control audits should be carried out in the spirit of compliance and continuous improvement.
- Step 6: Certification Renewal
Before the end of the 3 years, the ISO 27001 certification should be renewed if you wish. To do so, the steps detailed above will need to be repeated.
How Much Does the ISO 27001 Certification Cost?
It is rather difficult to articulate an exact price for the certification as it depends on several factors: the complexity of your ISMS, the number of sites, the number of employees, the number of segregated networks etc.
Generally speaking, the cost is calculated according to the risk assessment conducted, the technology needs, and the employee’s time, which is considered the largest source of expense. Although it is important to bear in mind that each case is different and therefore the price may vary, for information purposes this table can give you an idea of the price according to your company’s size.
How Long does the Evaluation Process Take?
The duration of the implementation process varies as it will depend on the size of your company, the complexity of your ISMS, the maturity of your business and of how many requirements you already meet. Therefore, it can take from 3 months for small companies to at least one year for bigger organisations.
What is the Validity of ISO 27001 Certification?
As we mentioned previously, once your company gets its ISO certification it will remain valid for 3 years provided that you get an annual review.
As you might have understood, embarking on the ISO 27001 certification process is not an easy task. It can even be quite overwhelming as the process will require time, money and commitment from your teams.
Not all organisations will decide to take the leap, but if you do, you will benefit from loads of advantages that this certification brings. If you want more details and information, you can access the DEXMA ISO 27001 Certificate here.
Don’t hesitate to contact us if you need more information.