ISO 27001 Is Not Just Another Certification

By Mike Polatsek
image August 07, 2018 image 3 MIN READ

I spoke with Omer Taran, CybeReady’s CTO, about his company’s beginning, and the bedrock of security on which it is built. He also talked about the role of automation in their security efforts, why they went after ISO 27001 certification, and why he believes it’s an essential certification for any company to have. He also took the time to provide some tips for companies who are interested in getting certified.


What’s unique about CybeReady’s approach to security?

When we started CybeReady, we knew that if we created a solid foundation, it would be much easier to scale our efforts. Security and privacy are the bedrock on which we’re built. We’ve always put a lot of effort into our security and privacy initiatives. In fact, we like to say that it’s in our DNA! That’s why we had security and privacy by design established long before the GDPR became mandatory.


Security is not just a marketing pitch or a product we sell; it’s inherent to everything we do as a company.


What role does automation play in your security efforts?

It’s at the heart of our security streamlining efforts. We are in the same position as our customers—looking to have efficient, effective security that aligns with our business goals. And just like our customers are looking to automate an increasing number of security tasks, we decided that our security management should be as automated as possible. Security at its core is about people, processes, and technology and the ability to manage the interactions among the three. We focused on automating processes so that we can concentrate on what really matters—not paperwork. We leveraged our development management platform to create a security automation process that’s triggered based on events or fixed schedules and allows us to both monitor and proactively manage our security. Throughout the process, we kept thinking of how our security would be aligned when we’re three or ten times bigger.


What made you decide to get ISO 27001 certified?

I think the trigger was GDPR. We started our preparations long ago, and we discovered that not only were many processes are already in place, but that going through certification wouldn’t be a burden given all that we’ve invested in security and privacy from day one. With this knowledge, we were able to look at the certification process as a chance to improve what we already do and also have a streamlined Information Security Management System. So unlike the somewhat common practices followed by companies seeking certification, such as the use and modification of standard templates, we wrote complete processes that allowed us to optimize our security in addition to obtaining certification.


What is your major takeaway from the certification process?

I’m not sure we ever thought of it this way, but from the beginning, we injected privacy and security design into our product. We see both ISO 27001 certification and GDPR as product features, as they allow our customers to better comply with their local and global regulations and laws referring to the increasingly crucial issue of supply chain security. By looking at the certification process as a natural extension of our product, we were able to strengthen our security practices and align them with our business needs.


Why do you believe that getting certified is vital for other companies?

We’re noticing a growing demand from our existing customers to feel confident that they are working with a trustworthy partner. And potential customers will ask for the same level of commitment to the highest security and privacy standards. Therefore, we believe ISO 27001 certification is an essential business enabler for any B2B security vendor.


Any tips for those who want to certify?

It’s not always about spending a ton of money or deploying feature-laden applications. There’s a way to balance value and capabilities effectively. And there are solutions out there that allow companies to achieve a high level of security, especially if they are cloud-based.


For example, one of the advantages of running in a public cloud such as AWS is the ability to deploy cutting-edge security technologies such as AWS GuardDuty, a threat detection service that continuously monitors and protects our AWS accounts from being compromised. Even better, it does so at an affordable cost, as GuardDuty offers a quick deployment without expensive dependencies on additional security software. It’s a more attainable solution that allows us to honor our commitment to our customers to maintain the highest security and privacy standards.