Inova's ISO 27001 Marathon
When I’m not at work or relaxing with my family, there’s a pretty good chance you’ll find me running in the “Parc de la Tête d’Or” in Lyon.
There’s a certain simplicity to running. It’s one foot in front of the other, mile after mile, and you need little more than a pair of shoes on your feet to get going. Whether you run short or long, fast or slow, alone or with a group of friends or colleagues as we so often do at Inova, the simplicity is what makes this sport attractive.
Like a lot of runners, I like to set myself goals. Sometimes I’ll aim small and set out to run my regular loop just a few seconds faster than normal. Once in a while I’ll aim big and lock my sights on a long-distance run (10 or 20km), something that demands commitment to training, form, and even diet over the course of months, or even longer.
It takes time to train for a marathon but, when you cross the line, the feeling is incredible as that singular thought runs through your mind: I did it, I achieved my goal.
Running is an individual sport but swap out that individual achievement for some teamwork and those few months of training for a year-and-a-half long slog towards certification, and that same feeling of accomplishment is there today at Inova.
After 18 months we have crossed the ISO 27001 finish line: we did it, we achieved our goal.
The ISO27001 certification is no trivial undertaking for a small SaaS company (<100 people). Many companies instead decide to hide behind their hosting provider’s certifications (27001, PCI-DSS, HDS, etc). And yet, the security of data stored in the cloud relies not only on the hosting service but, increasingly, on flaws in the application itself. Security is our top priority, and so we decided to seek the ISO27001 certification with a perimeter that stretches from the design of our applications to their maintenance.
What is ISO27001
The ISO27001 is a lot more than a certificate we can hang on the wall (although it is a nice way to decorate the office). It’s a systematic approach to managing sensitive company information, helping ensure that it stays secure. ISO27001 uses a risk management process and includes people, processes and IT systems. Becoming ISO27001 certified requires a shift in company culture as people adopt new habits and adjust to new procedures. Much like when you start training for a new race, new habits and training regimes are hard at first, but soon become second nature.
While the ISO27001 certification is a significant investment in the short term (I’ll dive into some number in a moment), it comes with long-term benefits, including fewer security audits from clients, faster security audits with prospects, an increase in our reputation and trust in our services, and lastly, if something does happen we are ready. We have clearly defined procedures to help us protect ourselves, identify a breach fast and manage it correctly.
But, in this case it’s not only the destination that matters, but also the journey. While the ISO27001 certificate has significant advantages for Inova, the process itself also brought big benefits for Team Inova.
What it means for Team Inova
The ISO27001 project was more than just an Information Security Management System (ISMS), it also pushed Inova to rethink some of its processes using simple, transparent, formalized rules. It created a “security culture” at Inova, which benefits everyone:
- Our Sales and CSM teams are more fluent in the language of security and more comfortable discussing security concerns with our clients.
- Our developers, DevOPS and Product Management teams have learned (and continue learning) new security skills such as DevSecOPS and secure-SDLC.
- Inova’s team members are more aware of security risks and how to protect themselves in both their professional and private lives.
What it takes to cross the finish line
Now that we’ve crossed the finish line, here are a few metrics that I hope will inspire you to launch your own ISO27001 project:
- Our efforts were based on Risk Management (EBIOS RM method), which enabled us to prioritize and invest in the actions that have the biggest impact on the security of our services for our clients.
- The project required 1 person working full-time and a budget envelope of 50-100k€ for acquiring the necessary tools and completing external audits. We were able to optimize certain processes by using some tools already in place (ticketing system, document sharing).
- At the beginning of the project, Inova didn’t have a formalized Management System (MS) in the ISO sense of the term. We had to tackle that challenge first by implementing the basics of document management (policies – procedures – recording). But the good news is that this formal MS could help us to one day be certified ISO27701 (Privacy) and ISO14001 (Environment).
Preparing for the Next Challenge
Putting in place the ISMS is the culmination of a project that would have never succeeded without the support and commitment of the entire Inova Team. Inova’s leadership team also provided an enormous amount of support. I’m grateful for the confidence given to me by Gilles Toulemonde, Inova’s CEO. I would also like to thank our pharma and biotech clients who challenged us and trusted us with protecting their partnering and alliance management data.
The ISO27001 is just the first step in our security journey. Like when you finish a race, you’re rightfully proud but immediately thinking about what comes next. The certification is a significant achievement, but my mind is already focused maintaining our security performance level and preparing for the next challenge.
Inova, software editor of a CRM dedicated to pharmaceutical companies, has followed software trends,...Read more