How and why implement ISO27001?
Committed to a quality approach involving information security management, Ventio has decided to follow the ISO 27001 standard, considered to be the benchmark in this field. Noémie Vang is a certified ‘Lead Implementer’, enabling the formal implementation of this standard within the scope of the company’s activities, and is working with Anis Benyahia, in charge of information system security, towards this goal.
What is ISO 27001? What does it cover?
ISO 27001 is an international standard issued by the International Organization for Standardization (ISO) that defines the requirements for establishing, implementing, maintaining, updating and continuously improving an Information Security Management System (ISMS). Its main objective is to provide a robust and consistent framework to help organizations protect sensitive information and manage information security risks.
By implementing an ISO 27001-compliant ISMS, we aim to ensure the confidentiality, integrity and availability of the information we process and store.
In concrete terms, this includes protecting sensitive data from unauthorized access, and ensuring that information is only accessed when necessary. The standard also aims to establish a continuous improvement process, encouraging us to regularly assess risks, implement appropriate security measures and adapt to both technological developments and new threats.
In a nutshell, ISO 27001 is designed to help us put in place effective information security practices, minimize potential risks and boost the confidence of our stakeholders – i.e. our customers, business partners and regulatory authorities.
What is it based on?
[Noémie Vang]
ISO 27001 is based on several fundamental pillars that guide the implementation and maintenance of an effective Information Security Management System (ISMS).
These pillars are as follows:
- An information security policy: this defines the organisation’s commitments and intentions in terms of security.
- A risk analysis: we are required to carry out a risk assessment in order to detect and evaluate threats that could compromise information security. This involves understanding vulnerabilities, potential impacts and the probability of occurrence associated with these risks.
- Planning: based on the results of the risk analysis, we need to draw up a risk management plan detailing the security measures to be put in place to mitigate the risks identified.
- Implementation: this phase concerns the implementation of the safety measures defined in the plan, including staff training, access management, activity monitoring, etc…
- Performance assessment: we need to regularly assess the performance of our ISMS to ensure its effectiveness and ongoing compliance with ISO 27001.
- Continuous improvement: a key principle of the standard is commitment to continuous improvement. We must therefore identify opportunities for improvement and implement corrective and preventive actions.
- Documentation and records: ISO 27001 requires appropriate documentation of the ISMS, including relevant policies, procedures and records to demonstrate compliance.
- Internal audits: we must carry out regular internal audits to assess our ISMS’s compliance with the standard and identify areas for improvement.
By combining these pillars, ISO 27001 provides a comprehensive and essential framework for establishing and maintaining a robust ISMS, thus ensuring information security within our organization.
Why is Ventio taking this approach?
[Noémie Vang]
Ventio is an innovative digital company offering cloud-based image processing services for biomedical imaging. Faced with the rise of cybercrime and the constant emergence of new threats, cyber risk management is complex. ISO 27001 will enable us to deal proactively with the constant evolution of these risks and the emergence of new vulnerabilities, while helping us to improve the security of our digital services.
This approach strengthens us in several ways:
The cornerstone is the protection of sensitive information. ISO 27001 plays an essential role in defining appropriate security measures, ensuring the integrity, confidentiality and availability of crucial company data, including customer and business data, research and development, company intellectual property and other confidential information that we are contractually obliged to protect.
The second benefit derives from risk reduction. ISO 27001 calls for a thorough risk analysis, enabling the organization to identify, assess and manage potential information security risks. This proactive approach not only helps to minimize security incidents, but also prepares the company to deal with new and emerging threats.
Improved incident management is another added value. ISO 27001 encourages the implementation of robust procedures for the management of security incidents, strengthening our resilience in the face of potential cyber-attacks and enabling rapid and effective responses in the event of an information security breach.
ISO 27001 is based on a systematic approach to information security management, which boosts operational efficiency and leads to process optimization, potentially resulting in cost reduction.
By adopting an ISMS in line with ISO 27001, we can demonstrate our compliance with regulatory requirements for information security, an approach that is particularly crucial in specific industry sectors, such as digital healthcare.
Our decision to implement ISO 27001 early on in the company’s development may come as a surprise. Indeed, quality management processes can be perceived as a constraint and a source of cost. At Ventio, the impetus from management is clear: this standard invites us to structure by design our secure products and services, by asking the right organizational questions for quality and sustainable development.
The aim is to move towards certification that will give us a competitive edge and the confidence of our customers.
What are the steps involved in deploying ISO 27001?
[Anis Benyahia]
The management system operates according to a four-step model known as PDCA for Plan, Do, Check, Act. This model is cyclical, and enables objectives (in this case, safety) to be achieved and maintained at the highest level, despite constantly evolving risks. The management system is therefore a process that revolves indefinitely.
The Plan phase:
This specifies all the foundations of the ISMS that must be put in place before it can be implemented:
- Organizational context
- ISMS perimeter
- Security policy
- Risk assessment
- Allocation of responsibilities
- Documentation management
- Resource management
- Awareness, communication and documentation.
The Do phase:
This involves implementing the measures decided in the previous phase
The Check phase:
Involves setting up mechanisms to monitor the effectiveness and compliance of the ISMS, using performance indicators, regular internal audits and management reviews.
The Act phase:
This phase is used to undertake corrective actions to resolve any discrepancies between what was planned and the results of the check phase.
Can you give us 2 examples of concrete actions taken by Ventio?
[Noémie Vang & Anis Benyahia]
Annex A of the ISO 27001 standard gives a number of measures to be taken to comply with the requirements. Without revealing any confidential information, here are two examples of how the standard can be applied:
Annex A.5.9: An inventory of information assets and other associated assets, including their owners, shall be developed and maintained.
This measure makes it possible to identify the organization’s assets and define responsibilities for appropriate protection.
Appendix A. 6.3: Information security awareness, education and training: the organization’s staff and relevant stakeholders must receive appropriate information security awareness, education and training, as well as regular updates of the organization’s information security policy, subject-specific policies and procedures relevant to their function.
The aim of this measure is to ensure that employees and subcontractors are aware of their responsibilities with regard to information security, and that they assume these responsibilities.
At Ventio, raising awareness of information security among all staff, whatever their function, means first and foremost following and passing the CNIL and ANSSI MOOCs. Traceability is ensured by recording certificates of completion and success. An IT charter sets out and standardizes security practices and instructions. We ensure that it is shared, understood and signed by every employee. For example, the company validates cybersecurity tools and provides training in their use. What’s more, depending on the position they hold, Ventio employees attend training courses adapted to their functions and provided by authorized external organizations.
What are the stages and points to watch when implementing an ISMS?
[Anis Benyahia]
In the process of setting up an information security management system within a company, several points of vigilance need to be taken particular attention to ensure the robustness and effectiveness of the ISMS. We will highlight 8 of them.
- First and foremost, company management must demonstrate strong support for the ISMS. This means active involvement in defining objectives, allocating the necessary resources and promoting a culture of security.
- Security policies must be clear, comprehensible and accepted by all personnel.
- The identification and in-depth analysis of assets and risks is also a major step, as it then underpins all preventive and corrective actions.
- Awareness-raising and training: Ongoing awareness-raising and training programs are needed to educate staff in good security practices and make them aware of potential threats. While it goes without saying that reminders of best practices are not subject to change, it is essential to regularly update these training courses to ensure that they respond to current staff concerns, and keep pace with changes in IT usage.
- Access management: controlling access to sensitive information according to the principle of least privilege – the practice of limiting users (and IT services, applications and other processes) to only those sets of data, applications and systems absolutely necessary to carry out legitimate business activities – is a non-negotiable requirement, as it is the only way to truly minimize the risks of unauthorized access.
a) A monitoring system can quickly identify suspicious or abnormal activity on a computer system, enabling potential threats to be detected before they cause significant damage.
b) Rapid detection facilitates immediate reaction to a security breach. This limits the impact of the incident and enables corrective measures to be implemented more quickly.
c) An effective monitoring and detection system is an essential layer of information security, enabling potential threats to be anticipated, identified and eliminated, thus reinforcing the overall resilience of the ISMS. - Monitoring and detection systems: The implementation of monitoring tools enables the rapid detection of suspicious activities, facilitating a rapid response to threats. This is crucial for 3 reasons:
- Backup and disaster recovery: Drawing up backup and disaster recovery plans minimizes the impact of security incidents, ensuring continuity of services provided by the company.
- Continuous assessment: Adopt a continuous improvement approach by regularly assessing the effectiveness of the ISMS. This enables security strategies to be adjusted in line with technological developments and new threats.
The last word goes to Stéphane, General Manager
“Data security is an excellent example of how our company is organized. Ventio’s operations and success are underpinned by the versatility of its teams and the strong, ambitious commitment of its management to information security. This calls on us to develop a common language at the crossroads of the disciplines that Ventio tackles.
Noémie, as a lawyer and quality manager, is fully committed to the company’s R&D projects and to industrial property issues, which represent a major part of a start-up’s assets to be protected.
Anis, in addition to her technical skills and her global view of the information system, is just as well versed in the formalities of standards as she is in subjecting our organization to penetration tests.
The dynamism of a company like ours relies heavily on its workforce, and Ventio is therefore constantly on the lookout for talent ready to work as a team and innovate together in a stimulating environment.”