ISO27001 - What Is It and Why Does it Matter?

Everybody's heard of "The Cloud" nowadays, although in our experience not everybody's entirely sure what "The Cloud" is or what it means. Which is understandable really as it has lots of definitions and can mean different things to different people.

 
 

Here at Kullasoft, when you download one of our mobile apps and use it to collect some data, that information isn't much use if it stays stuck on the device. It needs to be transferred to a central location where other people can access and make use of it. And once you've set up an account on our web portal and invited your users, this process is taken care of automatically for you. Users tap the "Export" button in the app, and the data magically appears in Kulla, nicely presented for your perusal which is great! You don't have to worry about any IT infrastructure setup or maintenance, software updates, support contracts and so on - everything is taken care of and you can just concentrate on improving your productivity.

 
 

Obviously there's a lot going on behind the scenes to make all this possible, and the catch-all term commonly used for all this black magic is "The Cloud". The data's stored in "The Cloud", all the server code lives in "The Cloud", the tiles on the maps are pulled in from other "Cloud Services" and so on.

So, all the complicated stuff like databases and file storage buckets etc that makes anybody apart from IT geeks' eyes glaze over is abstracted away from end users and is somebody else's problem. Which of course is wonderful. That said though, if you're going to start using a cloud based service as a tool for carrying out your daily work and/or a repository for valuable information then it would be prudent to find out a bit more detail so as to mitigate any risks you may become exposed to as a result.

Common questions that arise when comapies are considering a cloud solution are things like:

• Where is the data physically stored?
• How do we know nobody can gain unauthorised access?
• Will we always have access to our tools/data?
• What happens if the company supplying the product ceases trading or gets sold to somebody else?

All valid questions, and anybody offering cloud services should be able to answer them for you. Cloud companies exist to provide services for their customers so it's in their best interests to ensure data is secure, infrastructure is robust and contingency plans are in place.

That said, while there are commonly held best practices within the industry there are no guarantees that a given service provider is adhering to them. In much the same way as when you take your car to the garage or employ a tradesperson to do a job you have little understanding of, you are essentially relying on the integrity of the provider take care of your data and provide a continual service. As in any industry, while the majority of businesses are professional and diligent, there can be some rogues about.

That's where ISO27001 comes in. In a nutshell, ISO27001 is the international standard that defines the best practices for something called an Information Security Management System or ISMS.  An ISMS is, to use the official definition from the documentation, "a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation's information security to achieve business objectives".

What this essentially means is that in order for an organisation to become ISO27001 certified, it has to be able to demonstrate that it has systems and processes in place that follow international information security best practices.  And this doesn't just cover things such as having antivirus software on computers, implementing firewalls and locking down laptops etc. The entire organisational structure is put under the microscope to check that all aspects of its operations are geared toward information security.  Some examples of the areas covered are:

• Physical security of office premises
• Access control - i.e. managing who has access to what data
• Separation of testing and production environments
• Management of cyprotography
• Staff training
• Incident management
• Legal compliance

These are just a few of the different topics - there are over 150 individual points that need to be addressed when compiling an ISMS and it had to be demonstrated to an independent auditor that each one has been considered and measures put in place to ensure best practices are adhered to.

As we care about our customers' data security and aim to become a reputable and trusted provider within the geospatial industry, Kullasoft is currently undertaking the work required in order to gain accredited certification to ISO27001. We should be carrying out our own internal audit before the end of January 2017, with our initial review by the UKAS accredited independent auditors scheduled for the end of February and hopefully be fully certified before Easter.

So, as well saving you hours of time and effort on a daily basis you can also have the peace of mind that your data is secure and being well looked after.