Written by Maria Hovila, CISO at eMabler.
I am proud to announce that we are now ISO 27001 certified, demonstrating our commitment to compliance and cybersecurity.
What is ISO 27001?
ISO 27001 is a globally recognized standard for information security management systems (ISMS). It provides a structured approach to safeguarding sensitive company information, ensuring its confidentiality, integrity, and availability. Securing ISO 27001 certification reflects our steady commitment to safeguarding our data assets and instilling confidence in our customers regarding our security practices and service continuity. Some examples of the addressed security controls are related to access management, cryptography, supplier management, security awareness, software development, business continuity and disaster recovery plans.
Additionally, being certified against the selected standard demonstrates that eMabler has implemented the required security controls and is officially following them as part of the daily work.
These certifications are granted by an external certification authority after completing an extensive audit process conducted by a 3rd party auditor. In eMabler's case, the external audit was performed by DNV one of the world’s leading certification bodies.
Why did we pursue ISO 27001 certification?
Our customers, especially larger ones, often require software suppliers to be ISO 27001 certified as part of their risk management strategy. Achieving ISO 27001 certification not only positions our organization favorably in the market but also enhances its appeal to a broader corporate audience. Our platform is business-critical to our customers and ISO 27001 will help us to identify risks and opportunities and plan corrective actions to improve the reliability of our service. Additionally, adherence to ISO 27001 aligns with GDPR and other regulatory standards, ensuring compliance across all aspects of our business operations.
What does this mean for you, our eMabler customers?
✅ Enhanced Reliability: Our ISO 27001 certification ensures an Information Security Management System (ISMS) that protects your data from unauthorized access, modification, or loss. It continuously identifies and mitigates risks, ensuring top-level security.
✅ Trust and Transparency: Your data is secure, and you can count on our compliance with the highest standards. Partnering with a certified provider like eMabler provides peace of mind, knowing your data is in secure hands. Our ISO 27001 certification demonstrates our commitment to data security; this certification is recognized internationally, further boosting confidence among your clients and stakeholders.
✅ Strategic Competitive Advantage: Data security is crucial. Choosing eMabler showcases your commitment to high standards in data protection, giving you a competitive edge and attracting more business opportunities.
How does it impact eMabler employees?
The success of the ISO 27001 project hinges on the collective efforts of our entire team. During the process of implementing the ISMS, we conducted training sessions covering security protocols, best practices, and individual responsibilities related to company information security.
✅ Enhanced security awareness: Employees receive regular training and updates on information security best practices, helping them understand the importance of protecting sensitive data. This leads to a more secure work environment and reduces the risk of data breaches.
✅ Clearer roles and responsibilities: The implementation of ISO 27001 often involves creating clear guidelines and procedures for employees, reducing confusion and ensuring accountability. This can lead to increased efficiency and productivity.
✅ Potential for career development: The emphasis on continuous improvement and opportunity to learn can lead to personal and professional growth. Employees may have the chance to acquire new skills and certifications, which can enhance their career prospects.
Here is a summary of the journey towards ISO27001 certification and some lessons learned:
The journey to certification
The journey to ISO 27001 certification was both challenging and rewarding. Here are some key steps we undertook:
Gap analysis: We began with a thorough assessment of our existing security practices against the ISO 27001 requirements. This helped us identify areas for improvement.
Governance: The CISO (Chief Information Security Officer) was appointed, the InfoSec Team was established and communicated to all eMabler why eMabler was implementing the Information Security Management Systems and how it impacts the employees, the customers and the organization as a whole.
Risk assessment: A comprehensive risk assessment was conducted to identify potential threats and vulnerabilities, including penetration testing. This allowed us to prioritize our security measures effectively.
Policy development: We developed and implemented a suite of information security policies and procedures tailored to our organizational needs. These policies serve as the foundation of our ISMS.
Training and awareness: Engaging our employees was crucial. We conducted training sessions to raise awareness about information security best practices and the importance of compliance.
Implementation of controls: Based on our risk assessment, we implemented various technical and organizational controls to mitigate identified risks. This included enhancing our network security, access controls, and incident response procedures.
Internal audits: Prior to the external audit, we conducted internal audits to ensure our ISMS was functioning as intended and to identify any areas needing further improvement.
External audits: We engaged an accredited certification body to conduct the external audit. Their thorough evaluation confirmed that our ISMS met the ISO 27001 standards.
Certification: It took about a month after the external audit before we received the official certificate.
Lessons learned
Stakeholder’s commitment
Before seeking certification, discuss your organization's goals with top management, business owners, technical staff, and employees. Their commitment is crucial for the effort, time, and money required for certification. Once you have their support, you can move forward confidently. In eMabler, both founders were part of the InfoSec team.
Management and leadership
Implementing the ISMS made us navigate through a big change in the organization and that requires combining both strengths of management and leadership skills.
We need both the technical skills to manage projects, make a plan, nominate responsible and oversee deliverables; and the emotional skills to communicate a vision, inspire action and empathize with concerns.
Define the Scope
Start defining the scope of your certification while engaging with stakeholders. ISO 27001 allows certifying all or part of your organization. A broader scope means more work, therefore start where security management needs most improvement, such as processes supporting a product, service, or business unit. You can extend the scope later if needed.
Expect challenges:
Increased workload: Initially, there may be a learning curve as employees adapt to new procedures and security measures and to contribute to the implementation of the ISMS.
Stricter compliance: Employees may need to adhere to stricter guidelines, such as password policies and access controls, which can be perceived as burdensome.
Potential for increased scrutiny: Employees may feel more closely monitored, especially during audits and assessments. If employees are not informed or are unaware for example why vulnerability scans are needed, or why company own devices must have device management tools or why their laptops, they might think the IT department might see their private messages or photos, which certainly is not the case.
Begin documenting immediately!
A significant portion of the ISO 27001 standard is about documentation. You need to record your security management requirements, processes, policies and have adequate documentation and evidence to show that you are adhering to these requirements. Therefore, it is crucial to start documenting every meeting, decision, gap analysis, and identified risk right from the start of your certification journey. This documentation will prove that you have been consistently working towards certification and will also make it easier to trace your improvements. The auditor will definitely take note of this.
Choose the right controls for your needs:
The ISO 27001 standard has two parts: Clauses and Annex A controls. You can implement both or just some Annex A controls, or a different set of controls. This flexibility allows you to choose relevant controls for your operations. Nevertheless, you must justify your choices and exclusions. Clearly defining your certification scope and organizational context is crucial.
There is always room for improvement
When planning your certification journey, remember that perfection is not required. Instead, focus on continuous and holistic improvement, considering relevant risks and threats. Security controls should be defined and in use, but not perfect. Actively manage your security processes, including ongoing improvement and mitigation of deficiencies. Identifying gaps, risks and addressing them will help you achieve certification.
It is ok not to know everything
If you realize that time is ticking or your organization is lacking some competences, and/or there is no time to learn by yourself, do not hesitate to ask for help! We had a great cooperation with Public Cloud Group. Their expertise made this journey not just smooth but also rewarding.
Looking ahead and gratitude
Achieving ISO 27001 certification is not the end of our journey; it is just the beginning. We are committed to continuous improvement and will regularly review and update our ISMS to adapt to the evolving threat landscape. Our goal is to foster a culture of security awareness and resilience throughout the whole organization.
In conclusion, I would like to extend my gratitude to everyone involved in this project. Your hard work and dedication have made this achievement possible. Together, we are not just protecting our information; we are building trust with our clients and stakeholders.
Thank you for being part of this journey with us!
