How Prograils became an ISO 27001 compliant software company
Implementing ISMS and being certified for compliance with the ISO 27001 norm is a milestone in many organizations from the IT sector. What were our reasons behind it? What do we and our business partners gain from it?
In a blog entry about finding a good software company, I listed factors everyone should consider. The list included: market presence, portfolio, technology stack, ratings and testimonials, project managementmethods and pricing.
After revisiting the content recently, I found out that the list was missing one important point: information security.
The fact that Prograils implemented the ISO 27001:2013 norm for information security management system (ISMS), was thoroughly audited regarding compliance with that norm, and received the certificate from BSI in December 2019 made it necessary to update that list.
What is ISO 27001?
ISO 27001:2013 is an international requirement norm for information security management in IT. It is part of the ISO 27000 standard series and the only one that is normatively binding.
The document consists of two parts: the main one which sets the information security framework for organizations, and Appendix A with security topics they need to implement.
Having clarified what actually ISO 27001 is, let’s find out what the term "information security" pertains to.
What is information security in an organization?
Information security can be summed by three letters:
- C for confidentiality. In other words, making sure that sensitive data processed by an organization is protected against unauthorized access.
- I for integrity. Meaning that information must not be changed in an unsuitable way, neither intentionally nor unintentionally.
- A for availability. This one stands for users’ ability to retrieve information whenever they need, and the requirement that no data must get lost.
This “CIA triangle” defines information security, as well as determines the direction of requirements set by the ISO 27001 norm.
Why information security matters in software development
Because we work with data.
In many cases, like the patient-physiotherapist platform Physitrack, these are sensitive data. When arranged and processed in a certain way, data can be interpreted as information.
Information is a valuable asset, not only of Prograils, but also of our clients and people who use applications we build. Information is also vulnerable unless certain measures are implemented.
Despite the common conviction, information security can be threatened not only by hackers and malware. Also employees of a software company can pose a threat to information confidentiality, integrity and availability.
Data are processed at practically all stages of software development. Besides production, also in development and testing environments. Both in the office and remotely, all these stages require proper defence mechanisms.
Implementing the ISMS in an organization is, by far, the most reliable way of preventing human errors that could result in information leak and severe financial or legal consequences.
Why have we decided on ISO 27001 certification?
First of all, because the norm sets guidelines for the ISMS implementation.
Secondly, thanks to external assessment, the security standards of a company are validated. This, in turn gives management, stakeholders and clients extra confidence in software development methods used by that company.
The certificate gives them the certainty that all information assets at an organization’s disposal, such as production data, source code and documentation (specification of features, architectural documents, algorithms etc.) are in good hands.
In short, assuring clients, actual and potential, of our highest security standards is one thing. But having these standards verified and confirmed by an independent expert is worth more than a thousand words.
What did the implementation look like?
The certification process took a couple of months.
In this time, we:
- educated all the team members about the significance of information security in IT and possible vulnerabilities,
- prepared the documents required to implement ISMS, e.g. the Information Security Policy, Statement of Applicability, etc.
- ran an internal audit,
- underwent a two-phase certification audit from the BSI representative,
- were granted the ISO 27001 certificate for information security management.
Although the entire process was intense and ruled by strictly formal procedures, we managed to complete it without any major trade-offs in terms of our culture, organization and identity.
Selected security policy measures
The detailed list of measures (or “controls”) implemented for ISO 27001 compliance is listed in a document called Statement of Applicability, which is confidential.
The key areas to which the document pertains include:
- ISMS-related roles & responsibilities in Prograils,
- risk treatment,
- hiring and employment termination practices,
- in-office and remote work security practices,
- security of electronic devices and more.
Prograils as an ISO 27001 compliant software development partner
Software companies are known for their informal approach of many areas, but there are matters in their activity that should not be taken lightly. Information security is such a matter.
Outsourcing software development to a company that holds an ISO 27001:2013 certificate is a guarantee that this particular partner not only follows the best security practices for security, but constantly improves them and is controlled for it on an annual basis.
And this is the case of Prograils.
Looking for a trusted B2B software development partner? Talk to us!