We at Moqod have always asked ourselves: does our work comply with the highest quality standards? Are our systems and the systems of our customers adequately protected?
We were concerned for a reason: the recent cybercrime statistics draw an alarming picture. In fact, the amount of losses associated with data leakages and other cyber threats exceeds the global market for illegal drugs. This is especially relevant for companies that work with sensitive data, operating in finance, legal and, healthcare industry segments are top targets of cybercriminals. And we have them among our clients as well.
Sadly, software companies, large and small, are also frequent victims of malicious attacks. This makes organizations’ intellectual property, assets, and reputation at stake, data loss prevention a typical boardroom agenda.
On the other hand, we realize that expertise and proficiency in software development technologies are no longer enough to win the clients’ trust – as they enter tech-partnerships, customers need something more tangible to fall back on. So we paid special attention to setting up and maintaining a system that meets the clients’ demands for top-notch security.
We also saw that customers prefer working with certified contractors. Therefore, we decided to get certified in the field of Cybersecurity. We chose an internationally acknowledged ISO 27001 standard, which is perceived by clients as a working proof that their data is in good hands.
The ISO 27001 family of standards covers just about every aspect of organizational security. More specifically, the ISO 27001 provides guidelines for setting up an information security management system (ISMS) and comprises policies and procedures that help safeguard customer data.
What Policies and Processes Does ISO 27001 Promote?
Surely, every organization nowadays uses a set of security protection tools and methods. Used disparately, though, and without adherence to established security procedures, these systems may offer adequate protection in some cases and be completely irrelevant during a massive concentrated cyberattack on an organization’s data integrity. The ISO 27001 standard for information security requires an organization to rethink its processes and set up rules and procedures for protecting its intellectual property and sensitive data.
A company firewall, for example, may protect you from external attacks, but are you protected from an insider breach, if hackers steal your employee credentials? Likewise, your existing security system may withstand a standalone DDoS attack. But what if perpetrators use different attack methods like SQL injections infecting your backend database, and API hijack simultaneously?
So what processes should the company set up to get compliant with ISO security standards? ISO 27001 standard encourages organizations and businesses to implement a range of security controls, such as, for example:
- Risk assessment
- Security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control (including remote access policy)
- Information systems acquisition, development, and maintenance
- Information security incident management
- Business continuity management
- Compliance, etc.
The actual set of processes you implement will depend on your organization and business type. To comply with ISO 27001, the processes relevant to your business should be in place and are fully operational.
Furthermore, implementing an ISO-compliant ISMS involves introducing an advanced company Security Policy. Based on your security objectives, the Security Policy should outline the physical and technological aspects as well as employee behavioral routines that prevent data loss.
For example, a clean desk policy urges employees to free always their desks of any documents and paperwork that may contain sensitive data when they leave their workplaces. Remote access rights and data access permissions also must be regulated by a Security Policy, and the policy in itself should be a subject of regular revisions and renewals. For best results, a company Security Policy should have an owner – someone responsible for its maintenance and update.
Needless to say, a good company Security Policy should clearly define penalties for non-compliance.
The ISO 27001 Certification Process
We have started preparing for the certification in May, finished in October, and went through the certification process in November-December, 2019. We have discovered that most of our processes and approaches were ISO compliant, yet we did find room for improvement and implemented the necessary changes based on ISO best practices.
The process of getting certified according to ISO 27001 starts with filling in the documentation that outlines the company objectives and security controls. Further, you will need to adopt all the activities listed in the initial documents: such as, for example, risk assessment and risk management, regular ISMS audits, and updates. At Stage 1 of the ISO audit, the certification body performs the review of the documentation to see if it complies with ISO 27001 standards.
For the Moqod team, embarking on ISO 27001 certification journey was the most difficult part. As soon as we understood what the certification committee expected from us, everything fell into place. All we had to do was to carefully and routinely follow through all their requirements.
The preparation process took six months. Creating the documentation was the easiest part, but the implementation and making sure that everything works in a new way took time. By October 2019, we were all set for Stage 2 of the ISO 27001 certification process – ensuring that all the security activities are compliant with the initial documentation.
After receiving the certificate, we can confidently declare that all the sensitive data that customers entrust to us is well protected. Our quality assurance process gained wide acknowledgment and recognition – the certification body said he hadn’t seen a lot of teams like ours and was pleasantly surprised.
The ISO 27001 Certification Benefits for Nearshore Software Developers
There is no doubt that compliance with international laws and standards increases general credibility. The clients can rest assured that they are working with a reliable developer, dedicated to protecting the integrity of their sensitive data and operating along internationally acknowledged guidelines.
In a nutshell, the benefits of ISO certification for nearshore software development firms fall into four main categories:
An ISO 27001 compliant information management security system helps companies avoid costly cybercrime aftermath.
ISO 27001 certification has a positive impact on company key relationships with clients, partners, and stakeholders, as well as on company reputation in general.
The company operations run smoothly and encounter fewer disruptions. The employees are happy to work along clearly outlined guidelines, as their work gets more predictable.
Setting up an ISO compliant information security management system accounts for enhanced security. The threats are detected early and crushed in the bud. People tend to engage in security activities after a threat has become obvious or an attack has already happened.
We would like our clients to treat ISMS as a human immune system: we are constantly being attacked by viruses and bacteria, and we don’t feel it, but this does not mean that we must not engage in strengthening immunity.
Throughout the months following the certification, here at Moqod, we have fully experienced the benefits of being ISO 27001 compliant. We have structured and optimized our processes, minimized risks, and are ready to help our clients even more efficiently!