Zai has achieved IEC/ISO 27001:2013 certification in just six weeks. Here we explore what was involved in the auditing process and how to get started with your own information security management systems (ISMS).
What is IEC/ISO 27001:2013?
IEC/ISO 27001:2013 is a widely recognised standard for ISMS. It provides a framework for managing the security of assets such as financial information, intellectual property, employee details, and information entrusted by third parties. An ISMS is a framework designed to protect sensitive data from potential threats and enable organisations to remain competitive and compliant.
An effective ISMS allows organisations to comply with legal and regulatory requirements such as those laid down by the Sarbanes-Oxley Act.
Why did Zai choose ISO 27001 certification over SOC 2 accreditation?
There is no easy answer when deciding which standard is better - ISO 27001 or SOC 2. Both have their pros and cons, and the best option for your organisation will depend on your specific needs and requirements.
Firstly, ISO 27001 is a global standard, while SOC 2 is more relevant to organisations in the USA that are regulated by AICPA. Secondly, ISO 27001 is based on a framework (the ISO/IEC 27000 family of standards), while SOC 2 is not. This means that organisations using ISO 27001 can quickly adapt it to meet their specific needs, while organisations using SOC 2 are more limited in their options.
Finally, ISO 27001 is based on risk management principles, while SOC 2 is based on control objectives. This means that organisations using ISO 27001 can tailor their security controls to meet their specific risks, while organisations using SOC 2 are limited to the specific control objectives set out in the standard.
Although ISO 27001 and SOC 2 are well-recognised security standards, SOC 2 is more prevalent in the United States. Its audits are more comprehensive than those of ISO 27001, and they go beyond the standard's requirements to assess your organisation's overall security posture. This makes SOC 2 a better option for organisations based in the United States, while ISO 27001 is a more widely recognised standard internationally, making it a stronger choice for businesses looking to expand outside the US and global markets.
What is the difference between certification and accreditation?
Certification is the provision by an independent body of written assurance (a certificate) that the product, service, or system meets specific requirements.
Accreditation is the formal recognition by an independent body, generally known as an accreditation body according to international standards.
What are the benefits of ISO 27001 certification?
Risk management is an essential aspect of any business, and the IEC/ISO 27001:2013 standard provides a framework for implementing an effective risk management system.
In today's increasingly regulated world, certification to the IEC/ISO 27001:2013 standard can give businesses a competitive edge. It is an essential consideration for any business looking to improve its risk management practices.
Implementing an Information Security Management System (ISMS) helps organisations manage their information security risks in a structured and systematic way.
Moreover, certification to the IEC/ISO 27001:2013 standard can assure customers and other stakeholders that a business is committed to managing risks effectively.
The benefits of ISO 27001 certification can be divided into three main categories:
In terms of improved security, ISO 27001 certification can help organisations protect their information from accidental or deliberate attacks.
In terms of improved business performance, ISO 27001 certification can help organisations improve their efficiency and respond more effectively to opportunities and threats.
Finally, in terms of improved relationships, ISO 27001 certification can help organisations build trust with their partners and customers.
Based on this comprehensive audit process, organisations can gain valuable insights into how well their ISMS performs and what improvements can be made.
One of the priorities for Zai in 2022 is growth through partnerships. Having an IEC/ISO 27001:2013 certification demonstrates that Zai, as an organisation in the fintech space, is proactive regarding data security threats and that we employ best practices to minimise such threats.
It will also assure our future partners, customers, and investors that, right from the beginning of our partnership, they are dealing with a company with a mature risk management program in place and that their security concerns are our security concerns.
This makes the beginning of 2022 a perfect opportunity to strive for ISO 27001 certification.
What's involved in the auditing process?
An ISO 27001 audit comprehensively assesses an organisation's information security management system (ISMS). The audit is conducted by an independent third-party auditor and is based on the ISO 27001 standard. The purpose of the audit is to ensure that the ISMS is effective and compliant with the ISO 27001 standard.
Auditors usually share a 3-day audit plan well in advance and the agenda items to be covered each day.
1st day of the audit
Auditors go through the entire ISMS system at a high level and cover ISMS clauses 4 to 10. Depending on your scope and time permitting, the auditor may choose to start to audit Annex A controls. But most likely, these are kept for day 2 and day 3.
At the end of day one: Auditors may share their preliminary feedback on the ISMS implementation in your organisation.
Auditors may highlight areas of improvement that are most likely to manifest in major non-conformance during days two and three of the audit.
2nd day of the audit
The audit process typically includes a review of the organisation's policies, procedures, and controls. It also includes interviews with key personnel, observations of work activities, and testing of security controls.
At the end of day two: Auditors will prepare their final report, including a detailed analysis and summary of findings. They may also make recommendations for necessary corrective actions to address any non-conformances or shortcomings identified during the audit.
Organisations should address all findings and recommendations in a timely and effective manner.
3rd day of the audit
On day three, auditors usually revisit all minor and significant non-compliance issues and any possible areas of improvement that were pointed out on days one and two.
Auditors provide an exit briefing at the end of day three, in which they share their final report with you and your team. The report includes details regarding compliance status and other vital observations from the audit findings.
What steps do you need to take to get started with your ISMS?
If you are considering implementing an ISMS in your organisation, there are several steps you can take to get started.
The first is to identify your organisation's critical information security risks. This might include data breaches, cyber-attacks, or unauthorised access to sensitive information.
Once you have identified these risks, you need to develop a plan for managing them. This may involve implementing security controls such as firewalls and antivirus software; conducting regular risk assessments, or engaging in employee training programs.
Finally, you'll need to work with a certified auditor who can assess whether your ISMS meets the requirements of IEC/ISO 27001:2013. With the proper guidance and support, it is possible to achieve certification within a year.
Any organisation that wants to implement an ISO 27001-compliant ISMS will need to undergo an external audit by a certification body. The process can be daunting, but it doesn't have to be.
Here are some lessons we learned while recently undergoing the ISO 27001 audit:
One of the most important things to remember is that the auditor isn't there to catch you out. They're there to help you ensure that your ISMS is compliant with the standard.
Be open and honest with them, and allow them access to all the documentation and records they need to carry out their audit.
Another critical lesson is to allocate enough time for the audit process. It's essential to allow plenty of time to prepare and respond to any issues that the auditor raises. If you try to rush through it, you're more likely to make mistakes.
Finally, don't forget that the certification body's primary goal is to ascertain that your ISMS meets the requirements of ISO 27001. They're not concerned with other aspects of the business, such as company finances. As long as you can demonstrate compliance, you'll pass the audit.
Your organisation can successfully navigate the ISO 27001 audit process and achieve certification by following these lessons learned. With the proper guidance, preparation, and commitment from the leadership team, you can ensure that your ISMS meets this critical standard's requirements.
What's next for Zai?
After successfully implementing our ISMS and achieving ISO-27001, we will now be seeking ISO 27701 certification in early 2023. We hope to use this as an opportunity to improve our privacy governance practices further and build on the solid foundation we have already established.
To find out what Zai can do for your business, get in touch with our sales team.