While there have been an increasing number of cyberattacks even before the COVID-19 pandemic took place, this trend was exacerbated by the significant increase in remote work and reduced budget for information security and privacy projects related to the pandemic's economic impact. On top of this, increasing regulatory requirements put pressure on companies to have the necessary information security and privacy controls to ensure that their data is protected. Some government agencies are also pursuing enforcement efforts to ensure compliance with the regulations, emphasizing corporate responsibility, and any violation can carry enormous fines for non-compliance.
For these reasons, safeguarding company information against increasing cyber-attacks and data breaches is becoming more complex, requiring systems, tools, and experienced personnel. However, just having the resources does not guarantee success. Organizations need to keep up with the requirements by regularly reviewing the security controls in place and making information security and privacy an essential aspect of the organization's business processes, especially as it applies to third parties.
A foundation of trust
Customers demand transparency from their third-party vendors about their information security and privacy programs as a foundation of trust. This enables organizations to make better decisions about their business and security priorities, and be comfortable knowing that their data is protected and secured. However, it is not sufficient to rely on vendor representations alone.
Customers need reliable evidence that the vendor can protect the data entrusted to them by having the appropriate controls, measures, and effectively operating information security and privacy programs. While audit clauses often cover these obligations in the contract, the enforcement of these terms is costly and requires expertise. Most vendors can barely meet requirements outside of these contractual terms due to the necessary commitment, internal expertise, and investments.
Customers must have the confidence to rely on independent, third-party assessments of the vendor's account to ensure that they have the appropriate technology, tools, and processes to protect the data’s security and privacy. Own is reinforcing that trust by committing itself to implement the highest standard of information security and privacy controls to protect customer data by obtaining ISO/IEC 27001:2013 and ISO 27701:2019 certifications.
What is ISO/IEC 27001 and ISO/IEC:27701?
ISO/IEC 27001:2013 is an international standard on how to manage information security. It specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. ISO/IEC 27701:2019 is a privacy extension to ISO/IEC 27001.
The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals. In other words, these frameworks enable organizations to manage the security and privacy of data or other sensitive information entrusted by third parties.
ISO 27001 requires certifying organizations to implement an information security management system (ISMS), a documented management system that demonstrates the management commitment to protect information assets' confidentiality, availability, and integrity from threats and vulnerabilities.
Some of the key requirements of the ISMS include: (i) the examination of the organization's information security risk management policies and processes; (ii)design and implementation of coherent and comprehensive information security controls and procedures of risk treatment to address risks such as risk avoidance, risk transfer, or risk acceptance; and (iii) implementation of continuous monitoring processes and controls to ensure that organization meets its information security needs.
ISO 27001/27701 certification is obtained through an extensive audit of the organization's ISMS to ensure that it meets the requirements of the Standards. It is an arduous process involving three-stages of the audit with the objective of independently testing the ISMS. The audit includes the review of control implementation, documented policies, and procedures against the frameworks’ requirements. Passing the audit results in the ISMS being certified compliant with ISO/IEC 27001. But getting the certification is just the beginning of the journey. The certification is a continuous requirement that involves follow-up audits to confirm that the organization remains in compliance with the ISO’s high standards to guide the organization to mature the security program.
What do these certifications mean for customers?
Own continues to invest in improving its information security and privacy posture to ensure that we can help our customers meet the latest compliance and regulatory requirements. Certifications such as the ISO/IEC 27001:2013 and ISO/IEC 27701:2019, on top of independent audits of our information security and privacy programs, will ensure that Own’s security controls are tested and validated to operate following the highest standards in the industry.