At Fundipedia, the security of our software, infrastructure and your data is a cornerstone of the services we provide. It’s vital to everything we do.
One of the ways in which we deliver a secure product, platform and privacy practices is to implement externally audited standards that ensure trust, control, and mitigate the risk of security breaches.
Our completion of the ISO 27001 demonstrates our ongoing commitment to this promise.
What is ISO 27001?
ISO 27001 is an internationally recognised security standard that provides the specification for an Information Security Management System (ISMS). Based on risk management principles, the ISMS sets out the policies and procedures defined by organisations to keep all the information they hold secure, helps increase resilience to cyber-attacks, and provides a central framework for the management of data and information.
It is an externally audited certification, which requires organisations to present their ISMS framework and evidence records of its use to certified auditors trained in Data Security during a rigorous set of interviews and meetings.
By adopting a systematic approach to security management, a company with ISO 27001 certification is much better prepared to identify, manage and assess the risks associated with the collection, storage and deletion of personal data.
Related content: Fundipedia’s security summary.
What does the ISO 27001 certification involve?
Gaining ISO 27001 certification is not a quick process and requires real commitment from the organisation to put in the hours and resources needed to pass the audit process. In most cases, a large proportion of time is spent creating the required documentation needed for the ISMS. This involves assessing existing processes and infrastructure to ensure conformity to the ISO 27001 standard while still ensuring practical use.
We have also invested a great deal of time in training staff on the ISMS. Gaining certification is not just about having the right documents; more importantly, it’s about creating a company-wide culture where data security is something that every employee takes seriously.
Then comes the audit. The initial audit process for ISO 27001 certification is conducted in three stages:
Internal audit
Before inviting any external scrutiny, companies carry out an internal audit of the system and its day to day use to identify any areas of the standard that are not being met and enact any corrective action needed.
External stage one audit
At this stage, the auditor assesses whether the company has successfully complied with the proposed scope of the ISMS and that the structure of their ISMS fulfils the requirements of the certification standard. It is a constructive audit, showing companies where they may have weaknesses (called non-conformities, which can be major or minor) so they can take any remedial action needed in preparation for the next stage.
External stage two audit
30 days after the stage one audit, a stage two audit is conducted, which takes a deeper look into the processes and procedures the company operates. This audit is conducted to ensure that not only do these processes and procedures conform to the requirements of the standard, but also that they work in practice and are being followed throughout the organisation.
Any non-conformities from the stage one audit are reassessed to ensure corrective action has been taken. If additional non-conformities are found at stage two, they are assessed as to their severity. If they are minor and can be addressed simply and quickly, certification may still be awarded; if the non-conformities are significant, it may require a third audit to satisfy the auditor that their concerns have been addressed.
Why does ISO 27001 certification matter?
ISO 27001 matters for software providers as it shows a clear, strong commitment to data security against international standards. Clients can be rest assured that Fundipedia has a robust approach to keeping our client’s data secure and managing risks with holding the data. The whole company learns about certification and using the ISMS, to ensure high standards of security across the organisation.
However, getting ISO 27001 certification isn’t the be all and end all – it’s an ongoing process. Companies with ISO 27001 in place are checked annually to ensure they continue to use the processes put in place. This auditing cycle ensures that that their data security practices are continuously improving. Companies must also reapply for certification every 3 years.
Ongoing commitment to security and privacy
The ISO27001 certification affirms our commitment to privacy and security and demonstrates that our controls are operating effectively. This strategy includes evaluating industry standards, assessments and authorisations, and targeting compliance with those that ensure a rigorous, flexible, and scalable security and privacy strategy.
We plan to join the Cloud Security Alliance in order to learn, share and take forward best practice. As we continue to grow and expand our reach to onboard customers in the USA, our next accreditation priority is SOC 2.