Silvr is now officially the first European neolender to become ISO/IEC 27001 certified! We’ve spent the past 6 months together with our compliance service provider Vanta and the UK Government-backed ISO certification body British Assessment Bureau on securing our information infrastructure. Curious about how and why we’ve done it? Read on to find out.
What is ISO/IEC 27001 certification?
The certification is one of almost 25.000 International Standards granted by - you’ve guessed it, the International Organisation for Standardisation. The ISO/IEC 27001 in particular is designed to prove that an Information Security Management System (ISMS) has been put in place to preserve the confidentiality, integrity and availability of information by applying a verified risk management process. Simply put - this is the highest global standard existing today that a company can apply to make sure it’s handling data in the safest possible way.
Why is ISO/IEC 27001 so hard to obtain?
The process requires certifying the protection of data under all its forms. What does this mean?
- Information in all its forms, digital and analogue, is protected;
- Resistance to cyber attacks is strengthened;
- Centralization of information is guaranteed;
- Enterprise-wide protection (both digitally and physically) is ensured;
- Threat is managed;
- Data integrity, privacy and availability are protected.
Sounds like a lot of work? Well, that’s because it is! By the end of the certification acquisition process, no stone is left unturned - the whole company has been checked for security.
What does the certification process involve?
There are a few commitments that any organisation wanting to secure ISO/IEC 27001 must make, such as:
- Leadership: it is essential that a senior manager in the organisation accepts collective responsibility for the ISMS. In our case, that’s our CTO Greg Tappero.
- Processes and budgets: it shows that security is not something exclusively dedicated to the IT department. The whole company with every single department gets involved.
- Initial assessment: a thorough investigation needs to be done to assess the current level of data protection.
- Action plan: after the assessment, the company defines the plan to achieve a sufficient level of information protection in the long term.
- Operations management: ensure proper and effective management of ISMS-related activities. For us, this meant writing 15 additional policies that the whole company vowed to follow, representing more than 110 control points.
At the end of this process, you can rest assured that the best practices have been put in place to secure digital service internally (for employees) and externally (for partners and customers).
“After completing the Stage 1 report, it took us about 4 months of intense collaborative work,” shared Thomas Pelletier, VP of Engineering. “Stage 2 then certified that we do what we say we do. The British Assessment Bureau validated that we defined a control mechanism for each of the requirements of the ISO/IEC 27001 standard, and sampled evidence that we implemented those controls.”
Why is ISO/IEC 27001 important for Silvr?
As the digital economy expands, cybersecurity becomes a major issue – especially in the context of online business operations (teleworking, open banking, multiplication of connected devices etc.). The World Economic Forum has reported that the number of cyber attacks in 2020 has increased by 22% compared to the previous year. Furthermore, even 35% of the attacks during the pandemic were made using previously unknown malware and methods (reported by Deloitte).
The importance of protecting information systems and networks is therefore crucial. Even more so in the post-Covid era - especially for transactions, operations and data exchange.
Why we got ISO-certified at Silvr
Every digital business needs to protect their information systems. ISO/IEC 27001 certification was the best way to ensure we have everything in place to continuously improve - which for us, as a Fintech startup, is critical. In preparation for expansion into Germany, we needed to ensure we protect our customers’ and our own data to the highest possible standard - so we started the ISO/IEC 27001 preparation process almost a year ago.
What does it mean for our customers and partners?
As a Fintech partnering with other companies, we needed to ensure we have a safe way to scale across markets. We're asking people to access their most sensitive business data - such as bank statements, purchase history, digital advertising spend - so we must be certain that this data is always treated with confidentiality.
“Accessing companies’ private financial records is very delicate, so we put information security front and center in all the processes and systems we build - says Greg Tappero, CTO. - We’re proud to be the 1st European neolender to secure our information infrastructure with ISO/IEC 27001 certification. This shows all our capital and platform partners how seriously we take data security and protection. We know its importance in Germany, and we wouldn’t consider entering this market without obtaining it.”
Thinking of getting ISO-certified too?
Here are some tips!
Having gone through the strenuous ISO/IEC 27001 journey ourselves, there’s some advice that we can share with any other digital company that is ready to undertake it. Below are a few handful tips from Thomas on what to consider when establishing a control framework (as a real Engineer, he’s keeping it brief!):
- The earlier you start the better: the bigger the company the more difficult it is.
- Ensure commitment from all executives: this is a company-wide effort.
- Buy a license for a compliance platform: we are very pleased with Vanta’s support here.
- Read through the standard: again and again multiple times, until you truly understand it.
- Be practical: 27001 is for companies of all sizes, the best processes are the ones that follow the standard and the flow of your company.
Visit our trust page to access our ISO/IEC 27001 certificate and real-time control updates. And if you have any other questions on this topic - reach out to help@silvr.co
