Well...the truth is, they’re not. In fact, such is the rigour of ISO27001, very few are.
Some claim that they are compliant with ISO 27001 security practices, but merely being compliant is not the same thing as being certified by an independent, third-party audit (certification body). Earning ISO 27001 certification is not a walk in the park, everything from email and password security to hiring, employee onboarding, business continuity, access controls, supplier relationships and devices has to be considered. The ISO 27001:2013 standard consists of 14 sections that deal with no less than 114 specific controls, with the certification process typically taking around a year (assuming dedicated staff and resources are committed for the project).
ISO 27001:2013 is an information security standard that is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies an information security management system (ISMS) that when implemented correctly, will integrate security into every aspect of the company and ensure continuous improvement over time.
In order to earn ISO 27001:2013 certification, you need to consider the unique information security risks your individual organisation faces. You need to think deeply about vulnerabilities and threats that can place data and information systems at risk. Once risks have been thoroughly analyzed, the company then needs to implement robust and all-embracing controls to mitigate these risks.
Once this has been done and you’ve achieved initial certification, you can look forward to annual independent maintenance and surveillance audits that look for evidence verifying all procedures of the security management system are actually implemented, reassessed, reviewed and improved over time. In other words, certification isn’t a box that you tick once and forget about—it’s a long-term, ongoing commitment that needs ongoing attention and ensures a company is doing the right things when it comes to security.
The reason we did all this work is simple: we want to protect our users. We help people achieve their individual health goals, so it goes without saying that a lot of the data we manage is of a sensitive nature. By attaining ISO 27001:2013 certification, we show that we’re doing everything we can to protect the confidentiality, integrity, and availability of information, systems, and services. The controls we’ve implemented during this process ensure that information assets are protected from unauthorised access, that accurate and complete information is delivered by systems that are reliable, and that information is available when needed. Through ISO 27001:2013 certification, we give customers the peace of mind that comes with knowing they’re relying on a secure archive.
For more information about security at Sapien and some of the other robust standards we’ve been externally certified for, please visit our Security Page.