ISO 27001, Information Security & Dogfooding*

by Rowland Gault

Pisys are a 30-odd-year-old Scottish software company. We don’t just develop software – we also develop hardware for our trainiing simulators. We have recently had our ISO 27001 certification renewed for another three years. To us, it’s a matter of pride.

I’m Rowland, a software developer at Pisys.

I also work on our ISO audits with my colleague and software tester Kiki.

What is ISO 27001?

ISO 27001 is an international standard defining the requirements for an Information Security Management System (ISMS).

It covers everything from building security, and disaster recovery, to how we handle customer data, as well as our development process.It’s about identifying information security risks, evaluating them, and managing or mitigating them.

Why?

Our ISO 27001 certification clearly states our commitment to information security. This commitment gives customers confidence in our systems. It keeps information security at the forefront of our software development and company management. It helps differentiate us in the marketplace and has contributed to the development of new business opportunities outside of oil & gas.

You don’t have to take our word that information security is at the core of our business – our certification demonstrates it. It also helped us along the way to becoming GDPR compliant.

How?

  • By building information security into everything we do and having the procedures to prove it.
  • By having regular reviews, security tests and audits of our system.
  • By having a ‘Security Moment’ scheduled in our monthly Developers’ Meeting (which, incidentally, also includes our Sys Admin, HR and Commercial functions, too).
  • By keeping our risk register up to date and reminding each other of the importance of small things that add up to either more security or greater risk.

We are big fans of dogfooding* – we use our most popular product, the Pisys Action Tracking Management System (ATMS) to track information security risks.

Is it worth it?

Yes.It’s four years since we decided to formalise our ISMS and get it certified. We audit sections of our ISMS every month, and it’s externally audited annually.It isn’t arduous at all.In concluding our recertification audit, the auditor noted that our ISO 27001 certification “is more than just ticking boxes, it’s a matter of pride for your team” and they were absolutely right.

*Dogfooding – tech. slang for companies using their own products.

Latest Permit to Work user - the Easter Bunny
Not a Natural