July 19, 2021
, in development
CMS Security - we got certified!
Meeting the stringent standards of ISO/IEC 27001 security certification was no walk in the park. Julien Febvre, ISMS manager at Eidosmedia, describes the highs and lows of the experience.
When we started the certification process back in 2020 we were no strangers to the concept of platform security.
When your software powers news operations, it has to deliver 24/7 and even a few hours lost to data breaches or hacker activity is unacceptable.
Our CMS for banks and financial services is also used by investment banks to publish their research and the IT security requirements in the banking sector are very stringent.
We were in fairly good shape
So the good news was that a lot of our procedures and practices were in fairly good shape to start with - in fact the auditors were impressed by the measures we already had in place. We also made a good choice of consultancy to support us in preparing for the certification. They had some great people who gave us the necessary support and the auditors were also great to work with.
A moving target
What we hadn’t expected was the sheer quantity of procedures and documentation we had to produce - and the finish line just seemed to get further away, the nearer we got to completion. It really was a moving target. My official job title even had to be formally changed to qualify for the final certification.
Nevertheless, we did finally get to the end and we were certified by the British Standards Institute on April 13th. It was immensely satisfying to know that we’d achieved a standard that is normally the reserve of companies many times larger than ours.
A timely move
It was a timely move because the recent well-publicized hacking exploits in Europe and the US have made security concerns a hot topic for many of our customers. Together with the in-built security of our unified-platform architecture, our new policies and procedures will be an extra assurance for our users and may even reduce their own certification and insurance needs.
Eyes on the ball
But getting the certification is in no way the end-point of the process. As I emphasized to our team, we’ve worked hard in the gym and we now have a beach physique. But staying in shape will require constant exercise. We have a full program of training and internal auditing before our next external assessment which will be in early 2022.
So, to all those teams across the company who worked so hard to make the certification possible, I’d like to say a big Thank you.
But don’t take your eyes off the ball!
Further reading:
