We’re ISO 27001 Compliant and Here’s Why You Should Care
Whether driven by compliance, emerging exposure and threats, or attacks and breaches that have already happened, most businesses now rank cybersecurity as a top corporate priority. In fact, global cyber security spending is projected to top US $270 billion by 2026, an increase of 86% from 2017.
To build a best-practice based cybersecurity approach that proactively minimizes risk and ensures greater business continuity against cyber threats, many businesses certify their information security management system (ISMS) through ISO 27001, an internationally recognized standard. Becoming ISO 27001 compliant requires significant time and resources, and signals a robust, mature approach to risk management. Businesses should also expect that their suppliers will maintain an equally rigorous security program. That’s why we’re so proud of our own ISO 27001 compliance and what it means for our clients.
What it means for you that Gorilla Logic is ISO 27001 compliant
At Gorilla Logic, we take security seriously and we’ve built it into everything we do. Our ISO 27001 compliance means that we have implemented all the controls required by this highly regarded international standard to address our security risks. Since our business is all about building great products for our clients, our security is your security.
What this means for you is that we prioritize security in all the work we do together. Based on our compliance, you can be confident that the web and mobile solutions we build for you:
• Protect the confidentiality, availability, and integrity of your data.
• Improve your ability to achieve compliance with commercial, contractual, and legal requirements.
• Reduce the risks of fines, business disruptions, and loss of reputation from cyber threats.
• Achieve greater resilience to cyber-attacks and responsiveness to evolving threats.
What is an ISMS?
To document how they manage, monitor, review, and improve all the different types of information and information assets they have, businesses that take security seriously develop an information security management system (ISMS).
An organization typically collects, stores, and manages many different types of information, such as client and customer profiles, employee data, financial records, system login information, emails, reports, equipment records, and much, much more. Each different type of information likely requires different policies and processes, and an ISMS informs everyone of what those policies and processes are. An ISMS addresses three security concerns related to an organization’s data:
• How data confidentiality is maintained so that information isn’t available to unauthorized people or processes.
• How data integrity is maintained and protected from corruption.
• How data availability is handled to ensure data is accessible to authorized users.
An ISMS isn’t set in stone but instead evolves as the organization’s needs grow and change. Building a comprehensive ISMS lays the foundation for ISO 27001 compliance.
What Is ISO 27001?
To help organizations evolve their cybersecurity approaches further and adapt them to their specific needs, the ISO has defined ISO 27001, an internationally accredited specification for a best-practice ISMS. ISO 27001 specifies that an ISMS must address all the people, processes, and technologies related to how an organization controls and uses its information and data. ISO 27001, which is both vendor- and technology-neutral, helps organizations assess whether their cybersecurity measures are appropriate and adequate for their unique risk environment.
What are the ISO 27001 controls?
Based on input from leading information security experts from around the world, ISO 27001 covers best practices for 14 separate controls:
|ISO 27001 Control||Describes…|
|Information security policies||How policies should be documented in the ISMS|
|Organization of information security||Which parts of an organization should be responsible for which information security tasks|
|Human resource security||How employees should be informed about cybersecurity whenever they start, leave, or change positions|
|Asset management||How data assets should be managed, protected, and secured|
|Access control||How employee access should be limited to different types of data. Auditors will need to be given a detailed explanation of how access privileges are set and who is responsible for maintaining them|
|Cryptography||How an organization handles sensitive data and the types of encryption used|
|Physical and environmental security||How to secure buildings and internal equipment|
|Operations security||How to collect and store data securely|
|Communications security||How to secure transmissions within an organization’s network|
|System acquisition, development, and maintenance||How to manage existing and new systems in a secure environment|
|Supplier relationships||How to ensure security while interacting with third parties|
|Information security incident management:||How to respond (and prepare to respond) to security incidents|
|Information security aspects of business continuity management:||How to handle business disruptions|
|Compliance||Which government or industry regulations are relevant to the organization|
How do you become ISO 27001 compliant?
ISO 27001 compliance is a multi-year process, involving intensive internal and external stakeholder activity. The compliance process includes three key phases:
1. An external certification body conducts a review of the organization’s ISMS.
2. The certification body performs an in-depth audit, evaluating individual components of ISO 27001 against the organization’s ISMS.
3. Regular follow-up audits are conducted to ensure on-going compliance.
This extensive process gives everyone confidence to know that the business is actively practicing the most effective cybersecurity measures possible.
Work with an ISO 27001 compliant partner you can trust
When you are recognized for ISO 27001 compliance, it’s a clear indication of your commitment to securing your organization’s information assets and protecting your organization from risk. Your security extends to your suppliers, and it’s important to make sure they take security as seriously as you do. As your custom software development partner, we prioritize security and are invested in ensuring that our approach meets ISO 27001 requirements. You can be confident that the solutions we build together adhere to the highest security standards set by ISO 27001, so you can minimize risk and improve resilience.