Wednesday, July 30, 2014

Why does Egress’ ISO/IEC 27001:2013 certification matter?

Richard Green
Senior Project Manager
Egress Software Technologies Ltd.
ISO27001 certification provides organisations with a way to demonstrate the strength of their security practices to customers, prospects and partners – however, although a company may already be working to the correct standards, actually undertaking formal certification requires a considerable commitment of man hours across the business. Consequently, organisations need to get the timing right when submitting for formal certification: undertake this too lightly and you may very well end up having to repeat the process further down the line.
At Egress, we continually seek to benchmark our technologies and processes against the highest levels of certification and accreditation. With the publication of the updated ISO standard in September 2013, we decided the time was right to formally certify ourselves against a standard we had informally been working to for some time.
This meant we needed to prove that we manage key business risks effectively, and ensure that our existing policies and procedures were moved into a robust, international standard called an information security management system (ISMS). Our first step was to define the scope of our ISMS, before fleshing out our Security Policy and undertaking an extensive risk assessment across all key Egress business areas, culminating in a score that represented our current risk level.

What does ISO/IEC 2700:2013 involve?

Stepping up from the old 2005 standard, and among other improvements, the 2013 one puts more emphasis on measuring and evaluating how well your ISMS is performing. As we were documenting our ISMS afresh, we tackled this from the ground up to create a tailor-made management system.
By December 2013, we’d planned our ISMS design, assessed our information security risks and had started to align appropriate controls against them. Moving into 2014, we started to formally implement and operate these as company policies and processes, together with the system controls they applied to, such as Access Control, Incident Management, Business Continuity, Physical Security, HR and Technical Procedures – everything you would imagine you’d need to support an effective and efficient management system.
Throughout the process, these controls were reviewed and constantly evaluated to ensure they were fit for purpose. In reality, and despite us fully discussing our requirements and agreeing pragmatic resolutions to our business challenges, a few processes needed some fine tuning to make them work as well as we had originally anticipated. Most problem areas were identified internally, however BSI (our external auditors) highlighted a dwindling action list as we progressed through our pre-certification visit, Stage 1 and Stage 2 Audits.

What does this mean for Egress?

Although we had been working to the ISO standard for some time, since our formal ISO 27001 certification in June, we’ve already noticed how this creates a market differentiation due to prestige, image and external goodwill. Being ISO certified has also allowed us to meet contractual requirements more easily, as well as being a positive selling point for additional business. Internally, it’s given us an assurance of a set standard of information security throughout Egress, demonstrating to staff that we have total buy-in for this from the Egress Management Team.
ISO 27001 is also the foundation block for other accreditations and is now providing key evidence in our Pan Government Accreditation (PGA \ G-Cloud).
Even though we’re now formally certified, Egress will still have an external ‘continual assessment visit’ every year and will be audited for recertification every third year. By allowing independent reviews, Egress will provide ongoing assurance of our information security practices to both customers and partners.

In conclusion

ISO 27001 provides a holistic, risk-based approach to information security and compliance, providing confidence for clients, partners and internal staff. By undertaking formal certification of this new standard, Egress has successfully demonstrated its commitment to not only providing market-leading technology, but doing so by working efficiently and securely to ensure the service we provide to customers and partners is of the same equally high standard. Our ISMS is now fulfilling its role very effectively, such that it’s now part of Egress’ everyday business, helping us to identify and manage risks to key Egress information and systems assets in a cycle of continual improvement, raising the security awareness of all staff, together with monthly ISMS management meetings feeding into our existing management sessions.
This is the best way ISO 27001 can demonstrate its value to any business!

Monday, July 14, 2014

New ‘snooping law’ is another reminder to keep our data secure

Daniel Hoy
UK Marketing Manager
Egress Software Technologies Ltd.
Last week’s passing of an emergency law to ensure that the UK police and security services can continue to access email and phone data relating to British citizens for up to 12 months is yet another reminder of the need to secure our most sensitive information ( and

This move represents an attempt by the UK Government to protect existing powers after the European Court of Justice ruled in April that existing legislation was unlawful and breached human rights. Prime Minister David Cameron defended the decision, stating the law was intended to protect citizens and the state from terrorist attack.

Whether you agree with granting governments access to personal data stored by service providers in the name of national security or not, this story serves as another reminder that sensitive information handled or stored by external third parties needs to be secured appropriately.

After all, if governments can access / intercept data and emails, then so can other less credible entities and organisations!

This is a topic we have covered regularly on the Egress blog and in our news pages:

At Egress, we see this type of news coverage as a real positive for the data security industry.

Regardless of the politics or the perceived terrorist threat, it demonstrates yet again that organisations and individuals need to question the underlying security of their data and apply greater due diligence when procuring a new system via a third party service provider – a point supported by some recent market research.