We are proud to announce that Flexiana with its Clojure developers meets high-security standards and is ISO 27001 certified.
As of this joyful event, we have asked some questions about data security in Flexiana from our CEO, Jiri Knesl.
What does it mean to be ISO 27001 certified? Is ISO 27001 certification mandatory? What are the benefits of ISO 27001 for our customers? What’s next?
ISO 27001 as the most widely used information security certification is mainly a guarantee, there are one or more people in the company who systematically works to improve risk management and security.
For us, ISO27001 was a logical next step. We work with health data, financial data, and other kinds of data-sensitive in their nature. So first, we have implemented ISO 31000 and later, when one of our customers came to ask if we can implement ISO27001, we jumped on and did that. We have implemented it in sync with the start of one large project with one of these customers.
ISO 27001 is not mandatory, but it is good to have it in place. When you have customers who have implemented some risk & security management measures, it is better to have similar mechanisms in place too.
Also, it forces us to review our usage of personal data to make sure we are GDPR compliant.
What did the implementation look like?
Everyone’s process is a little bit different. We had ISO 31000 and risk management practices in place long before we have started this implementation. For us, it was mainly better documentation of our accesses & policies when we work with data, improvements in our risk management IS, checking our GDPR compliance.
Now, we are in an ongoing improvement phase and in the future, we will improve our risk & security management even more.
Why information security matter in software development?
There are multiple reasons but the main two important ones are related to the importance of software in our lives. First, almost everything has some API now. If you can control it remotely, you could potentially destroy systems, things, or even harm people. Second, there are more and more data on people. Some of this information can be very sensitive like health or financial information.
What is information security in an organization?
It is a set of policies that describe how we work with information, what the accesses are, where data are located, what happens when people start with us, terminate work with us, when we work with new customers, information, etc.
How does ISO 27001 Certification help to ensure your data confidentiality, integrity, and availability?
All techniques in ISO27001 have been in place for us in some form before. But during the implementation, we did a cleanup and systematization of our practices. With a better system in place, it is easier to catch gaps in the process, cleanup access rights, question data location, copying, etc.
What policies and controls and processes does ISO 27001 promote?
- Scope
- policy & objectives
- risk assessment methodology
- statement of applicability
- Risk treatment plan
- Risk assessment report
- Roles & Responsibility
- Inventory of Assets
- Acceptable use of assets
- Access control policy
- Operating procedures
- Secure system engineering principles
- Supplier security policy
- Incident management procedure
- information security procedures for business continuity
- Statutory, regulatory & contractual requirements
What was the procedure to achieve ISO 27001?
The general process for achieving ISO 27001 is:
- Defining the scope of ISMS
- Defining ISMS policies
- Inventory of information assets & defining acceptable use of assets
- Performing risk assessment
- Risk identification
- Risk evaluation
- Planning risk treatment
- Management review of ISMS risk treatment
- Performing corrective actions based on risk treatment results
Why these certificates are important for our customers?
They are not only important for our customers but also for our insurance company 🙂 But for our customers, those who have asked for ISO 27001, they all work with health data, financial data or have customers who work with these kinds of data. Some of them are regulated under HIPAA and all of them are subject of GDPR.
What, in your eyes, was the biggest challenge Flexiana faced?
I think we have managed the implementation quite well. The main issue was the people who have been responsible for the implementation had two more large projects going on at the same time.
How would you say Flexiana addressed this specific challenge and the overall preparation for becoming ISO 27001 compliant?
We had ISMS in place and we had to improve it. Our company had risk extraction policies, we had to systematize it and make our prioritization more systematic. We had people who could resolve risks, but not enough, so now Flexina is running workshops on change management, so more people could help us to resolve risks in parallel.
What other security policies does Flexiana have?
Well mapped responsibilities. Limiting access to information to the bare minimum. Storing most data in the infrastructure of our customers. Having both on-premise and cloud available. Checklists & documentation for activities and responsibilities. Frequent review of accesses and data handling.
How do we achieve agreement with our customers about the implementation of security controls?
We have filled a questionnaire for our customers, documenting our current and planned policies. All of them were within their needs so we didn’t have to do any adjustments. As of now, we roll out more devices with MDM installed which are related to their needs.
What is GDPR related stuff in ISO 27001?
GDPR is related to personally identifiable information of any person who is an EU citizen. In Flexiana, we store personal data of EU citizens in three different categories:
- Lead generation & customer information
- Website visitors data
- Employee information
Storing & processing information of these categories should be in compliance with GDPR.
In Data Security Everyone Trust
Our commitment to data security does not end here. Everyone in Flexiana is dedicating themselves to protect our customers’ data responsibly, and ISO 27001 certification proves it.
Please enjoy a remote coffee with us to discuss a solution for your problem with more ease of mind!