ThousandEyes recently announced our achievement of ISO/IEC 27001:2013 certification for the Information Security Management System (ISMS) supporting our network performance management software-as-a-service application.
Historically, Europe and East Asia have been the leaders in terms of the number of certifications issued, but in recent years, North America has had an increasing share of the world’s certifications. So why is this certification so important for businesses and their customers? Here are five major reasons why ISO 27001 certification matters.
1. ISO 27001 is a reputable, internationally-recognized standard.
Since 1946, the International Organization for Standardization, or ISO, has been issuing standards that govern a variety of disciplines, ranging from currency codes to anti-bribery management systems. Given the scope of ISO’s work, the standards they put forth are recognized and used throughout many different industries all around the world. The ISO/IEC 27001:2013 standard specifically provides requirements for an information security management system (ISMS).
ThousandEyes also complies with other standards such as the US-Swiss/EU Privacy Shield and Trust principles issued by AICPA (American Institute of Certified Public Accountants) and the Canadian Institute of Chartered Accountants. However, ISO 27001 is regarded as the only global security standard, with just under 28,000 certificates awarded in 2015.
2. ISO 27001 sets a security framework and requires implementation of controls.
Even before achieving ISO 27001:2013 certification, ThousandEyes was compliant with the standard and relied on it as a framework for our Information Security Management System (ISMS). The ISO standard is one of several important sources we considered when creating our Unified Security and Privacy Management Framework (USPMF), which governs Information Security and Privacy at ThousandEyes. This is in line with common practices at many other companies; a 2016 Global Report on ISO 27001 by IT Governance Ltd. found that 77% of industry professionals surveyed utilize ISO controls along with those based on other standards and frameworks. Here at ThousandEyes, we take laws and regulations, industry standards, as well as customer requirements into consideration when forming the contents of our USPMF.
3. ISO 27001 establishes a risk management program.
Risk management is an extremely important aspect of every Information Security Management System. The ISO standard specifically revolves primarily around a risk assessment-based approach to security. Once risks are identified in an initial assessment, controls are selected and implemented to mitigate them.
Complying with ISO 27001 requirements for risk assessment also helps us in meeting other standards and regulations, now and in the future. For example, the EU General Data Protection Regulation (EU GDPR), which goes into effect in May 2018, has a requirement for privacy impact assessments. These are meant to identify risks to the privacy rights of individuals whose data is being processed and will be mandatory for companies who deal with the data of residents of the European Union. Since we already employ privacy risk assessments as a part of our overall risk management program as dictated by ISO 27001, we are already compliant and will not have to worry about them once EU GDPR is enforced.
4. ISO 27001 inspires customer confidence.
Achieving and maintaining ISO 27001 certification assures our customers that we see the security of their information as a top priority for our business. According to IT Governance’s survey, 56% of respondents implement ISO 27001 standards in order to gain a competitive advantage, and 71% of respondents receive regular or occasional requests to provide ISO 27001 certification evidence. This is strong evidence of the increasing importance of information security in today’s highly interconnected world. With customers that include 45 of the Fortune 500 and 5 out of the top 6 US banks, it is particularly essential for us to demonstrate compliance with the most rigorous of information security standards.
5. ISO 27001 ensures ongoing compliance and improvement.
In order to maintain ISO 27001:2013 certification, companies must go through an annual external review process and three-year recertification during which they must demonstrate continual improvement of the ISMS. When a new revision of the standard is published by ISO, companies must transition to the new version to retain compliance. These requirements drive our InfoSec team to strive for excellence in maintaining and implementing our ISMS, our executive team to continue its ongoing support of the security function, and the rest of our employees to do their part by keeping security in mind in their day-to-day dealings. It also assures our customers that our commitment to maintaining confidentiality, integrity, availability, and privacy of their data is ongoing and will be further evaluated by independent auditors.
For more information about ThousandEyes’ commitment to security, visit https://thousandeyes.com/trust.