ISO 27001: How We Got Certified And What It Means For Our Clients
We’ve got more big news from our end — we know we’ve been slamming you with big news in the past few weeks, cough* Clicktale acquisition, cough* but there’s more to share.
What can we say, we’ve acutely upheld our scaling plan. About a month ago, Contentsquare achieved an ISO 27001 certification, and if that doesn’t mean much to you, then this is the article that will answer this burning curiosity.
If you’re not yet a security expert (you might want to get on that) here’s a little refresher. The ISO 27001 is a standard of best practices for managing information security. This information security grouping of best practices has a risk-based approach and is technology-agnostic. It includes requirements on compliance documents, management responsibilities, internal audits, continual improvements, corrective and preventive action — all designed to best protect a company’s information assets.
Companies can elect to conform to the standard, by meeting requirements, but can also go further and become ISO 27001-certified. In this case, an independent outside auditor (also certified) is tasked with conducting an audit to assess whether a company meets the requirements. Companies that pass get their certification. As you can imagine, this is the route we’ve taken.
We sat down with Alexandre Menguy, Chief Information Security Officer, Contentsquare’s security guru, to find out more what this certification means for us and our clients.
Who’s who :
Alexandre joined Contentsquare as Chief Information Security Officer in Juin 2018.
Prior to this, he worked as Global Security Manager for PeopleDoc and Senior Cybersecurity Auditor & Advisor for Mazars.
ISO 27001, from Objective to Reality
Contentsquare: Can you tell us more about the audit — how is it carried out and who hands out the certification?
Alexandre Menguy: The audit is just the final step of a long process! It all started in 2018, when we decided to have our security practices meet the requirements of an existing standard. We chose ISO/CEI 27001 partly because it is so widely recognized.
First we defined the objectives and scope of the project with top management; then we worked with all teams to implement policies, procedures and practices that would meet our security objectives.
Once all these elements were in place, we conducted an internal audit to make sure we were heading in the right direction and that we were ready to meet the certification requirements.
The internal audit went very well, so without further ado, we called on an external auditor to carry out the official certification. That’s when things got real…
CS: What do you mean, things got real?
AM: Well, first the auditor made sure our policies and procedures were in line with the requirements. This phase was more about documenting things. Then they visited our various offices to ensure the policies and procedures were being effectively implemented.
Finally, the auditor submitted their recommendation to a recognized certification body, which, based on the review that was carried out, gave us the official certificate.
ISO 27001: All Hands On Deck collective effort.
CS: Now that we are certified, can you speak about the main challenges of achieving certification?
AM: There’s no denying it, achieving the ISO 27001 certification is a huge undertaking that involves everyone on the team and impacts all company practices.
It was particularly impactful because we wanted to meet all 133 security requirements in our Paris, New York and London offices. Thankfully, the entire team was wholeheartedly committed to this project, which meant we were able to undergo the transformation very quickly.
Another challenge of this type of project is the involvement of management. Getting certified is an expensive undertaking with high direct costs (mainly the cost of the audit and certification) and also major indirect costs (purchasing security solutions, recruitment, securing offices, shifting processes…) so it’s important to have the full support of top management.
The security of our clients’ data being one of our main priorities, this certification process was a no-brainer for management, which was committed and supportive every step of the way.
CS: What does this mean for clients?
AM: As you know, deployment models are evolving. For companies, the digital landscape has shifted from on-premise systems and applications to complex environments that rest on multiple third-party SaaS solutions and external cloud computing services.
Therefore, security risks are increasingly becoming transferred, and today it’s more important than ever for companies to trust that their vendors and services are safe.
With this certification, our clients can feel even more confident because it proves that Contentsquare has an information security management system in place that adheres to an internationally-recognized standard and that it has been deemed effective by an in-depth independent audit.
Also, keep in mind that our client brands regularly audit their vendors and that this certification helps to facilitate this type of assessment.
Life after Certification
CS: Now that Contentsquare has achieved the ISO 27001 certification, what are the next steps?
AM: Indeed, achieving this certification is terrific news but we can’t stop there!
The very essence of the ISO 27001 is the continual improvement of systems, so getting certified is not the end of the road.
This is in fact part of the ISO 27001 certification framework, and the certification audit is followed by annual assessments to remain certified.
CS: Can you share any examples of concrete actions you are putting in place?
AM: We will continue to invest strongly in our security capabilities. For example, we’re planning to launch a private bug bounty program very soon. As well as our penetration testing, we are also going to submit our applications to ethical pirates and compensate them if they find any breaches. This is a fairly new mode of operation but it’s very promising!