Security as priority: interview with our Information Security (IS) Representative

First, thank you for taking the time for this interview. Tell us about your position: what are the IS Representative’s duties?

Generally speaking, I’m responsible for managing data security. This includes developing and maintaining our information security management system (ISMS), managing risks, monitoring security controls, and responding to incidents. I also oversee internal audits and raise awareness to promote a culture of security within our company. Ultimately, my goal is to protect data and continuously improve our security posture.

What are some key principles of our IS policy?

Our IS policy prioritizes security, integrity, quality, and accessibility. In other words, we protect client data and maintain trust while developing top-notch software solutions.

You’ve mentioned the importance of compliance with standards. In software development, which standards are the most critical to follow?

This is a difficult question to answer definitively because various factors affect which standards a software development company should follow. It varies depending on the company’s size and location, the industry they develop for, the level of data sensitivity, and client expectations. In our experience, clients most frequently request compliance with ISO/IEC 27001, GDPR, HIPAA, and CCPA.

We recently obtained the ISO/IEC 27001:2022 certificate. Could you explain what this certification is and the requirements for obtaining it?

ISO/IEC 27001 is an internationally recognized standard for ISMS. It provides a robust framework for managing and protecting sensitive company and client data. Its main goal is to ensure confidentiality, integrity, and availability of information, as well as compliance with legal, regulatory, and contractual requirements.

To achieve this certificate, the company must comply with all requisites specified in the ISO/IEC 27001 standard.

Simply put, an organization must develop and maintain key security documentation, including mandatory policies and annual system documents; train employees to build awareness; regularly monitor and audit the ISMS to identify and address gaps; conduct a thorough risk assessment to identify and mitigate threats; and more.

What are the primary changes or updates in ISO/IEC 27001:2022 compared to previous versions?

The 2022 version has been adjusted to modern conditions and cybersecurity challenges. Compared to the 2013 version, the structure is more streamlined and easier to integrate with other standards. Another difference is the number of controls, with new controls added for cloud technologies, remote work, and emerging cyber threats. There’s also a stronger focus on personal data protection.

By the way, in 2024, the first amendment to ISO/IEC 27001:2022 was released to address climate-related factors in IS management. This highlights the importance of integrating climate considerations into IS management and reflects global trends in sustainability and corporate responsibility.

Was it challenging to pass the recertification audit?

I would say no, it wasn’t very challenging for us. We’ve been ISO/IEC 27001 certified since 2021, which means we have already passed a full cycle of audits and have well-established processes in place.

This year was unique because we transitioned to the new version of the standard. So, not only did we need to adapt to the updated structure, we also had to implement additional controls and reassess the relevance of each to our existing processes. This required cross-team collaboration, additional training sessions, and updates to our documentation and risk management frameworks.

However, keeping up with the latest updates in IS is standard practice for us, so we were prepared for this migration and recertification audit.

What does this certificate mean for our clients?

For clients, ISO/IEC 27001 certification is a sign of trust. It shows that we take their data security seriously and have a systematic approach to protecting sensitive information. Our partners can rest assured that their information is safeguarded against unauthorized access, breaches, and cyber threats through industry-leading practices.

In addition, this certification is granted by an accredited, independent certification body, so clients can be confident it’s unbiased.

Are there specific industries or sectors we serve that benefit most from our ISO/IEC 27001:2022 certificate?

Actually, this certificate is valuable to all industries. But yes, there are some areas where its impact is particularly significant, including fintech and healthcare, which are highly regulated and work with sensitive data.

Finally, can you give us some tips on how to protect an IT infrastructure?

Protecting an IT infrastructure requires a holistic approach. Based on our company’s example, I would say regularly assessing potential threats and vulnerabilities to proactively mitigate them; implementing robust security controls; and ensuring the timely detection, reporting, and resolution of security incidents to minimize their impact and prevent reoccurrence.

I would also recommend conducting ongoing training and awareness programs to ensure that all employees understand their IS roles and responsibilities.

Finally, continuous improvement and adherence to international standards, as well as the requirements of the legislation of the countries where a company operates, must be prioritized.