We are excited to announce we have recently been certified to ISO 27001.
The world’s leading standard for information security management systems (ISMS), the ISO 27001 contains a set of high-level standards for handling information securely.
Why did we do it?
The reason Propel chose to pursue this rigorous certification process is because we know how important information security is to our business and our clients.
But simply knowing this and having some well-intentioned processes in place isn’t enough. We wanted to make sure we are highly diligent in securing our internal information, as well as protecting our client's information when entrusted to us.
That means adopting best practice in those areas, and there's nothing better than aligning to the global gold standard for information security – ISO 27001.
How did we get certified?
It wasn’t a matter of ticking a few boxes and paying a registration fee. The whole process took us 9 months to complete.
The cornerstone of the ISO 27001 is the assessment and management of risk. This means checking and creating an information security management system to ensure the confidentiality, integrity and availability of information. And it’s not only about how technology handles information, but how people and processes within our business ensure that information is kept secure.
Only businesses who can prove to an external auditor that they have excellent controls for data security, risk assessment, and information management are eligible to receive ISO 27001 certification.
Here are a few things we implemented:
- Consolidation of data storage systems
- Structured controls over data access
- Enhanced onboarding and offboarding practices
- Mobile device management across our laptop fleet
- Information security training for all staff
- Upgraded cyber security measures
What this means for our clients
Ultimately, this certification demonstrates our commitment to information security, compliance, and regulation practices.
Our aim is to give our clients confidence that we use advanced systems and processes to ensure that all information we receive, track, or share is treated with the highest standards of security and confidentiality. We protect the integrity of all data and associated processes so that our clients can trust our services. What’s more, we have a culture of information security, ensuring our team is aware of its importance at all times.
There’s another big benefit of the certification for our clients, which has to do with secure development.
Secure development is about the development practices that ensure we are thinking about information and security as we build systems, and validating as we go along.
When we start to build applications for our clients, we are thinking about information security from the perspectives of:
- What type of security risks and practices do we need to consider ?
- What type of information is being captured?
- How do we make sure the information is secured correctly?
- How do we manage access levels for different classifications of information?
- What types of audit logs do we need to record activity?
As a reminder, we have embedded a security checkpoint in our story life cycle. Here we prompt ourselves on the impact on confidentiality, integrity and availability of information.
What we learned
Going through the ISO 27001 certification process has helped us achieve a state where we can have confidence in how we manage our information. More importantly, it has created a security mindset across the entire team that we are seeing our customers benefiting from already.
Our work here is never done
Information security is constantly evolving, and our certification puts us in the best position to stay on top of these changes. Auditing our processes at least every year will help us to maintain and improve our information security so our clients can always trust our services.