CEO Interview on ISO 27001 Certification
ISO 27001 is the auditable, international standard that defines the requirements of information security management (ISM).
XMLdation received ISO 27001 certification in December 2022. Our work with international banks and clearing systems means that information security is a fundamental requirement. Protecting the confidentiality, integrity and availability of data is vital for our continued success and growth.
Tricia Balfe, CEO of XMLdation, talks about why XMLdation embarked on the ISO 27001 “journey”, what it was like, and most importantly, what it’s done for the company and our clients.
Anyone who knows about ISO certification understands, it’s a lot of work isn’t it?
Yes, absolutely, but it’s very good work – you’re really looking at every part of your organisation to confirm, are you really keeping your information protected? We have a SaaS product where we house client information, so it’s critical that everything is secure. We’ve closely looked at everything our organisation does that might impact the information we hold.
That sounds like a holistic exercise …
Absolutely! You’re looking at everything across the company, like development team practices, customer support practices, software security, third-party suppliers – all sorts of things, many different aspects.
Why did the Company decide to go for the certification?
For one, it’s very important for our clients, who rightly expect a high level of attention to information security. But we also have ambitions to grow, so from a strategic perspective, getting the certification is very important for being able to scale with minimal business risk – it’s a key part of our foundation for growth, and the certification will allow us to deliver even more important services to our clients.
ISO 27001 is about information security – what risks are particularly relevant to XMLdation?
What we consider most of all is keeping data safe, because any data breach would be very damaging to our clients and to us. It’s about ensuring there are no cracks – and if there ever were, that we can mitigate and minimise any impact of an incident.
What is the impact of ISO certification on product development?
As part of the certification process, we looked at our development practices and asked, are we following best practice in the programming of the product, with security baked in?
For example, it’s become very important that you’re protected against new vulnerabilities, like those that can emerge in software libraries. There was a classic case, around a year ago, with “Love4J”, when a vulnerability was found in this very commonly used library. As a result, you need a process to continually make adjustments to your product, and the development team has to be very aware that they have to keep the software up to date, and use most recent versions of any components we use.
For us, the ISM system we’ve introduced has been integrated as part of the development process.
So ISM (Information Security Management) is part of the development process …
Yes, it’s absolutely a part of the development process, but I’ll also mention something else that’s important, like phishing attacks. People can target developers or others in the organisation to get their credentials so they can access your systems. That’s a very important attack vector that we need to be constantly aware of, and the whole organisation needs to be very savvy about these sorts of attacks, and be prepared.
How do you get started with the certification process? As CEO do you just say, “Do it”?
We got started by identifying a consultant who had been a CISO for many years, had worked in organisations similar to ourselves, and who knew how to scale the ISO 27001 project for us in the right way. Together we went through some good thinking on information security, and worked to identify the path for XMLdation to “do” 27001 and implement good ISM processes. But to be clear, we did the work – it was a team effort, and that’s very important, because you need to ensure that you don’t just end up with an “overlay” of processes. The ISM approach has to be baked in, as I’ve said before. And it’s about engaging the people “doing the doing”.
But we had good and practical guidance. And I recommend that approach.
What were some of the key work streams?
A few things come to mind –
First was doing a risk analysis on all the assets of the Company, which in our case starts with the XMLdation Service, which is cloud-based. And these clous solutions are highly complex – you’re running applications on top of complex infrastructure, managed by a third party, and there’s a lot of security that you need to look at there, like firewall management, the encryption of data at rest and data in flight … all sorts of considerations. Working through a risk analysis for those assets takes time, and involves quite a bit of thinking, involving quite a few people.
Next, we looked at other Company assets, like anywhere information is stored – laptops, and mobile devices such as phones (people have information on their phones!), your CRM (customer relationship management) system, any cloud or other file-sharing system you’re using, where you store code for your software, lots of things to look at!
Finally, it took time to cover in detail all aspects of our Company security policy, to ensure the policy makes sense and matches what our organisation actually does.
Last point – make sure that what you’re doing is real – that means, it has to be relevant to your business and risk profile. You can download a policy from somewhere, and it’ll look great, but you have to make sure that it’s authentic, and suitable for your operations. Or you won’t be credible.
What did you like about the certification process?
I think we’re now even better organised, and the process has increased our overall business awareness and made us a stronger Company. So, I like that!
Yes, it’s certainly, a lot of work, but even so, as CEO, I have no complaints. You know, we were already doing an awful lot of the things that are required for ensuring information security, for many years, as you would expect. But this project was about having an overall framework where everything fits. And that then becomes easier to manage.
And the structure of ISO 27001 was helpful. You shouldn’t go around trying to re-invent the wheel.
Has the certification process had an impact on your Company strategy?
It’s very important for our strategy. We need to demonstrate that we address the concerns of our clients very well – that’s critical for what we do currently for our clients, but also, we would like to do more, and manage more important business processes on behalf of our clients.
I think the certification process creates a competitive advantage for us. We’re becoming a bigger Company, and we need to build the processes that a larger company needs to have in place.
Any concluding thoughts?
Well, generally we are really pleased how this has gone! It’s a lot of work, but the whole team would agree that it’s beneficial. And that’s great – I’m really glad that we’re doing things where people can see and experience the benefit, so it’s not just a paper exercises. We have a great level of buy-in!