Utmost achieved ISO/IEC 27001:2013 certification in August 2020. Below is an interview with Utmost’s Chief Technology Officer, Paddy Benson, on the importance of the certification for customer’s security.
What is ISO/IEC 27001?
Paddy Benson: ISO 27001 is an international certification standard for Information Security Management. It sets out a series of policies and controls that we use to manage the security of critical data assets such as financial information, intellectual property, employee details and most importantly our customers’ data.
This includes a range of areas, but a few examples include:
- Privacy by-design as a core design principle for our product & services.
- Keeping customers’ data secure.
- Access controls for data and services internally.
- How we grant physical access to buildings
We perform a comprehensive risk assessment for all aspects of our business and implement controls that remediate any identified risks. Internal audits mean that we are constantly evaluating risk. We commit to continuous improvement and adaptation to maintain information security.
Why is this important?
Paddy Benson: Every major organization has its own security posture to protect its own customers and stakeholder data. So the key question they ask as they adopt a new product is, will it undermine our existing security posture?
Our ISO certification shows that security is at the heart of everything we do and we recognize customer concerns about the importance of their own data. It’s not just about answering a security survey but seriously considering the full security landscape
What steps did Utmost take to achieve ISO 27001?
Paddy Benson: This was a big team effort across different functions of the business including Finance, IT, Engineering, and Operations. We started by creating an Information Security Management System: a set of policies designed for our business. As part of that exercise, we created a risk register of all the potential risks to information security. We went through each risk and the probability for each risk to occur. Every risk then received a treatment plan and we design a set of controls to mitigate that risk.
For example, fire safety requires us to create an evacuation policy, appoint fire marshalls, get evacuation signs, and continuously update new joiners of the policies.
After creating these policies, the ISO organization would review the policy, documentation, and check if we are adhering to these policies. While this is onerous for a small company to dedicate time for, at Utmost, we view enterprise-level security as critical to serving our customers.
This is not one-and-done. Information security is a mindset and we continuously evolve to adapt to new issues.