Is your testing partner ISO 27001 compliant?
By Jacques Fouche, MD of DVT Western Cape and Executive Head of DVT's Global Testing Solutions.
With the advent of new and far more stringent compliance rules and regulations surrounding data privacy and security coming into effect towards the end of last year, DVT is delighted to announce it has completed - and attained - ISO 27001 accreditation.
The International Organization for Standardization (ISO) 27001:2013 standard specifically provides requirements for an information security management system (ISMS). This means any company like ourselves will have their ISMSs independently assessed and audited by an accredited certification body to ensure the management system meets the requirements of the standard.
Companies need to regularly review their ISMS and conduct the necessary assessments as prescribed by the standard in order to ensure it continues protecting the company's critical information. Achieving accredited certification to ISO 27001 delivers an independent, expert assessment of whether you have implemented adequate measures to protect your data.
This all sounds great on paper, but what does it practically mean for our clients, and other companies that are looking to engage DVT for software testing purposes?
In our line of business, we get exposed to massive volumes of data from a broad range of industries, including very sensitive information from insurance, financial and medical companies. While we have always taken the utmost care and used best practice processes to protect the integrity of this data, attaining ISO 27001 certification gives all of our current and potential clients even more peace of mind that their data is completely protected whenever it's exposed to our information systems, or as is often the case, we get granted access to their systems.
The mutually agreed General Data Protection Regulation (GDPR) came into force on 25 May 2018 and was designed to modernise laws that protect the personal information of individuals. It also boosts the rights of individuals and gives them more control over their information. According to GDPR, personal data is critical information that all organisations need to protect. The implementation of ISO 27001 identifies personal data as an information security asset, and since most of the EU GDPR requirements are covered by the certification, it is applicable not only locally but to all our clients in the UK and EU as well.
Much like the journey we voluntarily and successfully undertook to attain BEE compliance in South Africa, the actual journey to attaining certification - and the ongoing exposure of our staff to the rigorous processes this entailed - has given us incredible opportunities to provide even better service to staff and customers alike.
The requirement to achieve compliance with ISO 27001 of course does not stop there. Being a broad standard, it covers many other elements, including the importance of staff awareness, training and leadership support.
For instance, attaining compliance is one thing, but maintaining it is another matter altogether. Staff now exposed to the mechanisms of maintaining ISO 27001 compliance will have an extra bow in their skills arsenal, and another impressive line on their resumes if and when they take the next step up in their career path.
Maintaining certification means you can never rest on your laurels or let your guard down, and these are vital skills that can only be taught through experience.
Considering the tremendous benefits, strict enforcement, and ongoing staff development and up-skilling that results from attaining ISO 27001 certification, are you still willing to do business with companies that aren't committed to the process, and more specifically, have you ensured your testing partner is now ISO 27001 compliant?
* Jacques Fouche is Managing Director of DVT Western Cape and Executive Head of DVT's Global Testing Solutions, based in Cape Town.