June 2018
ISO 27001-certified organizations are scrutinized by an independent auditor every year to confirm their continued discipline and commitment towards information security. Last week, AcceptEasy passed review by a Lloyd’s Register auditor with flying colors. This is a big deal – not just for us, but also for all the organizations that rely on us (or are still looking for a vendor they can trust). Why?
Customers + Messages + Payments = Risk
We’re a vendor of software & services to generate and send millions of payment requests to consumers and small businesses. As such, we receive a lot of data from our clients. This is serious business in terms of privacy and information security, especially as we facilitate money changing hands. Even more so because we serve many large brands who do not want their reputation damaged by a supplier who messes up. Fortunately, we’ve had security top of mind since we came into business some ten years ago. This has served our clients (and their customers) well – more on that below.
Security = Technology + Process + People
Even so, about two years ago we decided to embark on a journey to become certified against the leading global standard for information security, ISO/IEC 27001. A main reason for that decision was that information security is not just about IT – it’s also about people’s behavior, processes and organizational controls. Tools don’t take contracts off a printer or business cards off a desk – people do. As we grow in staff, customer base and international footprint, making sure that everyone does things right every time becomes increasingly important. And if (if) there is even a minor potential incident, we take the right steps to resolve and report the situation and prevent it in the future. ISO forces you to think and act. It keeps you on your toes as business and technology evolves rapidly. Not just as a standard, but as a set of mandatory periodical ceremonies.
I’m doing this for you, you’ll thank me later
So we succeeded in getting our ISO27001 certification in 2017 (on our first try), and showed last week that this was not just a flurry of activity to get a piece of paper. From IT to Marketing to HR to Operations, our people take this stuff seriously all day every day – sometimes even saying no to our own clients to protect them from themselves:
- Some clients have tried to hand us batch files containing customer data through insecure means, which we then politely refuse even if it risks delaying a large run that brings us revenue.
- Same for private keys needed to connect our systems to theirs to go live.
- Our people don’t log on to unprotected wi-fi unless through VPN, even if that prevents us from doing an online sales demo.
- We only use approved software even if another tool could help us, and in general protect the data we receive and generate.
- As ISO rolls into GDPR, we collaborate on the required Data Processor Agreement between the client and AcceptEasy and often take the initiative in providing our default agreement.
Demand the real thing, not just good intentions
As a corporate or government organization, you should demand all this from a service provider (especially where cloud-based software and customer data are involved). And not just as a set of RFP questions whose boxes are more easily checked than the reality on the ground. But by means of proven and continued independent ISO-certification. Smaller vendors are great, but they need your business and can easily resort to smoke and mirrors to appear earnest and secure. As we now know, passing an ISO audit requires and proves the real awareness, the real policies, the real tools and the real rigor that keep the information you entrust us with secure. This blog by a peer vendor explains it differently.
We hope you appreciate the importance of ISO-certification as you evaluate vendors like us going forward. Your customers sure do, even if they’re blissfully ignorant of what it takes to protect them.
p.s. Just so you know, keeping your data secure does also cost some money.