idealworks Is Now ISO/IEC 27001:2013 Certified
An Interview With idealworks’ CISO, Peter Mansour
Starting a promising year with excellent news: Following a period of extensive audits and inspections, idealworks has attained the ISO/IEC 27001:2013 certificate. The international standard provides specifications for best-practice information security management systems and guarantees that the company’s security infrastructure is of the highest standard, thus minimizing safety risks for all employees, clients, and partners.
Being ISO/IEC 27001 compliant, idealworks has met the stringent requirements of information security in the industrial automation space. An interview with idealworks’ Chief Information Security Officer, Peter Mansour, who helped idealworks prepare for the ISO 27001 audit.
Peter, first of all, who or what is ISO and ISO 27001?
ISO/IEC 27001:2013 — also known as ISO 27001 — is one of the most widely recognized and internationally accepted standard on how to manage information security. It lays out requirements for establishing, implementing, maintaining, and continually improving our information security management system (ISMS), guaranteeing that idealworks’ security infrastructure is of the highest standard — 24 hours a day, 365 days a year. Basically, ISO 27001 is a security standard that defines how an organization should manage and treat information more securely, developed and maintained by the independent, non-governmental International Organization for Standardization, ISO.
Why did idealworks decide to apply for the ISO 27001 certificate?
Since information security is one of the most important quality aspects of software, this certificate is key to both being and staying a trustworthy software provider. It is our way of proving to our customers and partners how much we care about the privacy of their information as the importance of ISO 27001 has become more and more apparent during shared conversations. Having attained the ISO 27001 certification is a door opener when it comes to attracting new customers who are aware of how meaningful such a certification is.
What does the ISO 27001 certificate imply for idealworks?
Based on the risks that idealworks faces, we adapted a set of policies which are provided by the ISO association. Those policies not only minimize the risks, but they will also help us deal with potential consequences, and cover several topics, such as: Who gets access to which set of documents? What happens when someone leaves the company? And how do we best ensure business continuity in case of disaster or disruption? On top of that, we developed a set of guidelines for our employees, which includes how to deal with company assets, etc.
How did you get prepared for the ISO 27001 audit?
For us, it was important to make sure everyone at idealworks feels involved in the entire process and dedicated to reach our goal of becoming ISO certified. Dedication is essential and really displays what kind of company culture businesses foster.
When did idealworks embark on the ISO 27001 journey and what does the certificate reveal about the company?
We’re fully committed to remain a safe organization, especially when it comes to information security, which is why our top management decided to kick off this exciting journey back in June last year. Our Stage 1 assessment took place in November 2021, and only a handful of weeks later, our Stage 2 assessment was logged in. We were more than delighted to receive our ISO 27001 certification on December 20, 2021.
Assuring our team, customers, and partners that we take all necessary steps to keep their data safe, secure, and accessible plays an important role to us. The ISO 27001 certificate is underlining the importance we place on data protection. The fact that we achieved this certification is the result of a huge amount of effort from every single member of our company.
What did the company learn from the process of receiving the ISO certificate?
Most notably, we were given the opportunity to properly reflect on our internal practices and processes. Thanks to this reflection and the ISO 27001 guidance, we were then able to learn how we could best improve our internal governance. We established an Information Security Committee, led by our CEO and including myself as Chief Information Security Officer as well as other executives and specialists to support the ISMS framework and to periodically review our security policy. Due to all those improvements, we are now able to take better proactive actions to minimize the risks the company faces.
What was the biggest challenge you had to face?
The pretty tight timeframe we had set ourselves: we planned to be ready for audit within six months, which we proudly achieved! During that time, we had to grasp a plethora of processes within idealworks and get ready for a two-day meeting with an auditor who examined every document that was developed with meticulous precision.
How long is the ISO 27001 certificate valid for?
The ISO certificate indeed has an expiry date and needs to be reassessed after a three-year period for renewal, on top of an annual review. Our eagerness to continuously maintain and improve our security infrastructure does not expire, though. It’s about always being one step ahead — something we’re very much used to.