ISO 27001:2013

ISO 27001:2013

LEGAL DIGEST, NEWS \ 19.02.2019

According to research conducted by the International Organization for Standardization (ISO) for 2017, only 78 companies in Russia successfully gained certification of compliance with the standard ISO 27001. In the meantime, with legislation on personal data protection becoming more stringent, this puts the onus on companies to be more careful in selecting the technological solutions that ensure the safety of such data. Given that Acsour’s business relates directly to the processing of personal data, it is not enough to have IT solutions alone. It is important for the company to have a genuinely functioning system for managing information security integrated with the company’s business processes and to consistently apply information security rules when new processes and information systems are developed. All these tasks have been addressed within the framework of the certification of the information security management system under the international standard ISO 27001:2013. Moreover, the company has been able to implement corporate risk assessment and risk management, together with the subsequent monitoring of the efficiency of the measures aimed at preserving the safety of information.

Certification under standard ISO 270001 helps to:

  • determine goals in the area of information security;
  • formulate approaches to assessing and managing risks within a company;
  • build up processes within the information security management system; and
  • provide updated and accurate information to partners and other interested parties regarding the information security policy of the company.

Two years ago, after it thoroughly prepared documentation and set up its internal business processes, Acsour successfully underwent an external audit and obtained confirmation of compliance with ISO 27001:2013, becoming one of the few Russian companies on the list to have gained such certificate. In February 2019, the company again underwent the annual compliance audit, during which Acsour extended the scope of the certification to include a reserve data centre. With two certified data centres, we are able to ensure the very highest level of safety for our clients’ confidential data.

“The number of problem areas that were identified has decreased considerably, as compared with last year’s audit results,” comments Valentina Alexandrova, Head of the Audit and Strategic Projects Department. “The auditor noted that Acsour’s team has worked hard on the punch items identified during the previous audit and has embraced the recommendations which were issued based on the results of the previous visit so as to improve the company’s business processes.

“The strengths that were noted comprised the launch of the reserve data centre, the use of an automated tool for controlling employees’ access to various information systems, the signing of a Service Level Agreement (SLA) with key providers of IT services and the annual testing of all employees (including senior managers) as to their knowledge of the company’s information security policies”.

“The greatest challenge this year, in my view, was the non-scheduled certification of the reserve data centre,” said Anton Fedorov, Head of the IT Department. “Originally, we did not plan for it to be included in the scope of the audit, but ultimately we decided to speed up the process thanks to one of our clients. We had to expedite the agreement of the conditions with the certification body and modify the roadmap for the auditor so that he could examine the second data centre”.

With internal business processes being set up in accordance with ISO 27001, Acsour has been able to enhance the sustainability of its information systems, to provide a shield against actual threats to information security, to safeguard the confidentiality of information, and to expand both the company’s capabilities and the benefits for our clients.