Our Integrated Management System Receives the ISO 27001 Certificate

August 21, 2015 Krzysztof Piskorski

‘ISO 27001 on board’ stated an e-mail recently sent to us by Tomasz Watras, our IT Quality Assurance Manager. This short headline was a pinnacle of our long road started back in April last year. After some cheering, the only thing we had left was to wait a bit for our certificate to arrive – and to let you know!

For most people working outside of IT, the term “security breach” brings about an image of a malevolent hacker or a hidden software vulnerability. However, security experts agree that software and hardware are only a part of the issue.

In fact, most breaches happen due to human mistake or poor IT culture. The “2014 Cyber Security Index” study by IBM shown that human and organizational errors were an important part of 95 percent of IT Incidents!

That’s why more and more businesses see the importance of proper policies and high business culture. We’ve experienced it firsthand. We’ve seen software development brands focused only on value making way for a new breed of companies, like ours, that also put strong emphasis on providing the best possible quality and security.

To make another step in this direction, we’ve decided to create a leading IT security management system for our company and put it through both ISO 9001 and ISO 27001 certification. The system passed ISO 9001:2007 audit in December 2014, and now ISO 27001:2013 is also ours.

So, what is ISO 27001:2013?

In short, it’s a standard for information security management systems. Organizations that meet it can receive an appropriate certificate in an independent audit.

ISO 27001 is well-established and has a long history. The basic components of ISO 27001:2013 reach as far back as 1995, when British government agency published one of the first standardized codes of practice for information security management, BS 7799. Over the years, it evolved to eventually become ISO 27001, in its latest revision called ISO27001:2013.

So, how can a set of rules written back when HTML was still a novelty and Windows NT 3.51 was a cutting edge of technology be relevant today? It’s simple! ISO 27001:2013 is almost entirely technologically agnostic. It calls for procedures and policies that are required for safe handling of data, without pointing to any specific hardware or software solutions.

This includes:

  • Risk assessment and management procedures
  • Rules for handling IT-related incidents
  • General security requirements
  • Personal and physical safety regulations
  • Operational continuity
  • Change management
  • Information classification
  • Disaster recovery procedures
  • Backup policy and more

It doesn’t matter what software or hardware means are used. What matters is the result: a safe workplace where every bit of data is handled like a valuable, confidential asset, while at the same time being available to anyone who genuinely needs it. Thanks to this approach, it’s safe to say that ISO 27001 will be just as relevant in ten years as it is today.

In our experience, what proved to be the hardest change? A strict clean desk policy that meant developers who were used to dwell in the castles made of old print-outs and empty cans had to change their ways and come out into the sunlight. We’re sure it’ll be good for them.

Jokes aside, ISO 27001 process certainly helped us to find many ways to improve our daily work. After all, we didn’t do it to provide another ticked checkbox or to answer prospective customers who had been asking about this certificate (although many had). First and foremost, we wanted to create a more pleasant and secure workplace, where all procedures are clear and where all possible nerve-wrecking issues are avoided.

We hope that this certification will provide additional value to our clients, and that the work under our new system will be as pleasant as ever.

After all, as explained by Tomasz after we have passed our certification:

“Even the best procedures won’t have any effect if we don’t emphasize security in everything we do. Culture eats strategy for breakfast.”

Latest posts