Get the Scoop on Optis' ISO 27001 Certification: Interview with Richard Gancze
Optis obtained the ISO 27001 certification in the fall of 2013. Earning this prestigious certification is great, and further reinforces our commitment to securing and protecting our customer’s data. Over the past few months, we’ve had questions surrounding our certification. How did we get this? What did we have to do to get it? What was tested, who tested it, etc.? So, we sat down with our Director of Information Technology and Security to get the scoop.
Q1: Optis is ISO 27001 certified. Can you tell us what the ISO certification is and what was involved to obtain this certification?
RG: The ISO 27001 certification is issued by an accredited ISO third party called a registrar. The accredited ISO third party conducts an audit and assesses our Information Security Management System (ISMS) using the ISO 27001 standard. The audit consists of a stage 1 audit and a stage 2 audit. The stage 1 audit is a “Document Review” which ensures that you have the necessary supporting documents. The stage 2 audit is the “Main Audit.” During the audit, the auditor checked to see if we were really doing what our documentation says we were doing. Is the ISMS alive (and not just on paper?) They checked records and interviewed employees. They looked for non-conformities. They determined that we passed the audits and issued us a certificate. Is that it? Not quite. The auditor will come back each year to ensure that we are doing what our documentation says we are doing (in other words maintaining our certification.)
Q2: There are a variety of different ISO certifications - 27001, 27002, etc. Can you tell us about the differences?
RG: The ISO 27000 standards are a family of standards which provide best practice recommendations on information security management. The ISO 27001 standard is the specification for an Information Security Management System (ISMS). The objective of the standard is to “provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)”. ISO 27002 standard provides guidance on how to implement hundreds of security controls. The standard provides guidance on how to implement the Information Security Management System (ISMS). The ISO 27005 standard provides guidelines for information security risk management.
Q3: What are the main benefits of having this certification?
RG: From my point of view, most of the benefits are not having the certification but obtaining and maintaining the certification. Don’t get me wrong, the certificate is important. The certificate demonstrates to our customers, the stakeholders and staff that the Information Security Management System (ISMS) is effective at Optis. The certificate is a third party validation that our Information Security Management System (ISMS) adheres to the ISO 27001 standard. The real value for us is making our ISMS a living management system based on a risk based approach. What I mean by this is that the ISO 27001 standard requires that you implement a PDCA (Plan, Do, Check, Act) method to manage the Information Security Management System. We do “P” and “D” and at times have not effectively implemented “C” and “A” (before ISO 27001.) With ISO 27001, we check, we act and we continuously improve our ISMS.
Q4: How prestigious is the ISO 27001 certification?
RG: To be honest I don’t know and I don’t like tooting my own horn. On a second thought, toot! I have 15+ years working with Information Security. I have participated in 100+ third party security assessments/audits. I have implemented many information security controls into many versions and iterations of an information security management system. Throughout my experience I have my opinions on the security standards and regulations (e.g. SAS 70, SSAE No. 16, HIPAA, SOX, etc.) And with all of them, I am ultimately responsible to implement an information security management system that protects the customer’s information and the organization. ISO 27001 provides the guidance to help an organization effectively design and implement a living information security management system which we are continuously improving. Based on my experience, I believe that ISO 27001 is prestigious.
Q5: Where should our customers go if they have questions?
RG: Customers can direct any questions to their Optis Account Manager or email us firstname.lastname@example.org.