By Mariana Almeida Marques
Financial services companies are facing a worryingly increasing number of cyber-attacks and data breaches. In fact, only in the first half of 2021, the banking industry saw a 1318% increase in ransomware attacks (Trend Micro). It is estimated that cyberattacks on banks from 2020 onwards will result in a loss of $347 billion. The insurance industry follows closely with a loss of $305 billion (Accenture report).
It is now more relevant than ever that companies ensure that all private information is handled securely. The ISO27001 certification is a way for organisations to formalise their processes and prove that they are handling data in a secure way. In this article, we explain what ISO27001 is, how it works and its importance for companies.
ISO27001 is an international standard for information security management. It is composed by a set of policies and guidelines that help companies in any industry to better protect their information assets. Over time it has become the de facto measurement of the degree to which an organisation takes information security seriously.
The Information Security Management System (ISMS) is a framework which defines an approach to implementing information security controls based on a clear understanding of objectives and risk levels. This enables adopters of the standard to set well-considered policies and procedures that can help prevent security breaches and mitigate security risks.
ISO27001 was published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), two organisations known for developing international standards. As ISO27001 is a requirements standard, it is possible to become certified to it. This involves a third party certification body carrying out an audit to verify the implementation of the standard.
This certification is useful because it provides other organisations with assurance that the standard has been implemented correctly. Although ISO27001 certification is not mandatory, it has a number of benefits for companies that wish to build trust and assure their clients and partners of strong information security processes.
The ISMS consists of a number of basic building blocks including the establishment of a set of policies, the definition of clear information security objectives, ongoing risk assessment, monitoring and reviews. It starts with an initial review of potential security risks, followed by the definition of processes that can prevent or mitigate each risk. The main purpose of ISO27001 is therefore to improve risk management by discovering which risks are there and implementing policies and solutions to increase security. Naturally, each company faces different risks, so there isn’t a one-size-fits-all set of solutions.
Technically, ISO27001 is divided into two parts: a set of 11 clauses and the Annex A. Clauses 0 to 3 include Introduction, Scope, Normative References and Terms and Definitions, and clauses 4 to 10 include the mandatory requirements to become ISO27001 certified, broadly these cover the following key areas:
Annex A forms an integral part of ISO27001 and includes a list of practices that enable companies to better manage their security risks. These aren’t mandatory to follow, they simply serve as guidance and can be applied to different business scopes.
Though ISO27001 isn’t mandatory, is it still an internationally recognised standard. This means that companies that do have the ISO27001 certification can prove to their clients and partners that their data is protected. Furthermore, it also shows that companies have the necessary processes in place to react appropriately should there be any kind of data breach. This helps to build trust between companies and clients. Not only is ISO27001 important to protect clients’ personal data, but the organisation’s own data too including that of employees, suppliers and partners.
The requirements for being ISO27001 compliant are addressed in clauses 4.1 to 10.2, as well as in Annex A. Companies need to be audited by an external accredited body and, if the audit is successful, this external organisation will provide them with the certificate. You can find more information about the ISO27001:2013 certification and its requirements on their official website.
At Imburse, we care deeply about our clients and are committed to the security of our data. For this reason we decided to implement an ITSM that follows the ISO27001 framework and successfully obtained certification in April 2021.
Imburse is a cloud-based middleware connecting large enterprises to the payments ecosystem, regardless of their existing IT infrastructure. Through a single connection to Imburse, enterprises can collect or pay out using a variety of payment technologies and providers around the globe.
In a world where consumers payment preferences and technologies are ever-evolving, Imburse works with insurers to future-proof their payment requirements. Regardless of the business area, market, or requirements, Imburse will connect you to your choice of technology and provider.
Reach out to our team below should you want to discuss how Imburse can help you. Our team is happy to show you what our platform can do for your business and offer you a free demo.