According to the annual study of the International Organization for Standardization (ISO) for 2018, the number of Russian companies that have shown the compliance of their management system with the ISO 27001:2013 standard has decreased from 78 to 70. Acsour once again features in this list and confirmed the high level of its information security by successfully completing an external audit in December 2019.
The annual surveillance audit is intended to confirm an organization’s ability to ensure proper information security and to demonstrate its continuous work on improving its information security management system (ISMS). During the audit, our team demonstrated the results of work on our ISMS over the past year, namely:
– We have implemented two-factor authentication to enhance the security of user accounts;
– We have developed an internal product designed for the administration of client databases. As a result, some of the administrative functions within divisions have been transferred to managers, which has had a positive impact on the internal processes of the departments in question.
• We have implemented a DLP (data leak prevention) system that protects against leaks of confidential information, and have also implemented IDP-class systems – i.e. real-time systems that identify and take actions against suspicious network activity of various types.
• We have put into operation a system for the detection of vulnerabilities and the connecting of other tools, allowing anomalies and tampering attempts to be more quickly detected.
In addition to the above, we have done a significant amount of work to ensure uninterrupted business operations. For these purposes, the company’s main services were reserved in duplicate data centres. The results of the audit showed that, in general, the level of maturity of our system has become comparable with the systems of the largest outsourcing companies.
ISO/IEC 27001 contains requirements for an information security management system according to international standards. Failure to comply with these requirements by organizations that process personal data and fall within the scope of the European General Data Protection Regulation (GDPR) may entail huge fines and a loss of reputation. At the same time, for Russian clients, the presence of a certificate indicates that a company has made significant efforts to ensure information security. Of course, the certificate itself does not guarantee absolute protection, but successful certification is a serious competitive advantage.